nichts/modules/system/os/networking/firewall.mod.nix

{
  config,
  lib,
  pkgs,
  ...
}: {
  networking = {
    # use nftables over iptables
    nftables.enable = true;

    firewall = {
      enable = true;
      allowPing = true;
      logReversePathDrops = true;
    };
  };
}