diff --git a/home/.config/alacritty/alacritty.yml b/home/.config/alacritty/alacritty.yml
index e89a9dc..8bf0d68 100644
--- a/home/.config/alacritty/alacritty.yml
+++ b/home/.config/alacritty/alacritty.yml
@@ -2,6 +2,7 @@
 
 env:
   TERM: alacritty
+  # TERM: xterm-256color
 
 window:
   padding:
diff --git a/system/etc/nftables.conf b/system/etc/nftables.conf
index ec468b6..5ec2296 100644
--- a/system/etc/nftables.conf
+++ b/system/etc/nftables.conf
@@ -1,19 +1,31 @@
 #!/sbin/nft -f
 
+# --------------------------------------------------------------------------------- #
+
 # References:
 # https://wiki.nftables.org/wiki-nftables/index.php/Main_Page
 # https://wiki.gentoo.org/wiki/Nftables/Examples
 # https://wiki.archlinux.org/title/Nftables
 # https://github.com/krabelize/nftables-firewall-config/blob/master/nftables.conf
 # https://github.com/atweiden/archvault/blob/master/resources/etc/nftables.conf
+# https://xdeb.org/post/2019/09/26/setting-up-a-server-firewall-with-nftables-that-support-wireguard-vpn/
 
 # Libvirt:
 # https://libvirt.org/firewall.html
 
+# Notes:
+# - "limit" rules need to be put before "established" connections
+# - use sets for groups of things (eg. IP, ports, ...)
+# - explicitly allow IPv6 ICMP if do not have "policy accept" on the outgoing chain
+# - hook order: ingress -> prerouting -> input/output/forward -> postrouting
+# - "iif" should be use when possible (for persistent interfaces) since it is faster than "iifname"
+
+# --------------------------------------------------------------------------------- #
+
 flush ruleset
 
 # TCP ports to accept (both IPv4 and IPv6)
-#define ACCEPT_TCP_PORTS = {}
+#define ACCEPT_TCP_PORTS = { 80, 443, 1965 }
 
 # UDP ports to accept (both IPv4 and IPv6)
 #define ACCEPT_UDP_PORTS = {}
@@ -38,23 +50,15 @@ table inet filter {
 	chain input {
 		type filter hook input priority 0; policy drop;
 
+		# Drop invalid packets early
 		ct state invalid counter drop
-		ct state { established, related } counter accept
-		ct status dnat accept
 
-		iif lo accept
-		iif != lo ip daddr 127.0.0.1/8 counter drop
-		iif != lo ip6 daddr ::1/128 counter drop
-
-		counter jump libvirt_input
+		# Drop none SYN packets
+		#tcp flags & (fin|syn|rst|ack) != syn ct state new counter drop
 
 		# Reject AUTH to make it fail fast
 		tcp dport 113 reject with icmpx type port-unreachable
 
-		# Accept user-defined ports
-		#tcp dport $ACCEPT_TCP_PORTS counter accept
-		#udp dport $ACCEPT_UDP_PORTS counter accept
-
 		# Rate limit on SSH port
 		#tcp dport ssh ct state new limit rate 6/minute accept
 
@@ -62,6 +66,20 @@ table inet filter {
 		ip protocol icmp icmp type { echo-reply, echo-request } limit rate over 1/second burst 4 packets drop
 		ip6 nexthdr icmpv6 icmpv6 type { echo-reply, echo-request } limit rate over 1/second burst 4 packets drop
 
+		ct state { established, related } counter accept
+		ct status dnat accept
+
+		# Allow loopback from host
+		iif lo accept
+		iif != lo ip daddr 127.0.0.1/8 counter drop
+		iif != lo ip6 daddr ::1/128 counter drop
+
+		counter jump libvirt_input
+
+		# Accept user-defined ports
+		#tcp dport $ACCEPT_TCP_PORTS ct state new counter accept
+		#udp dport $ACCEPT_UDP_PORTS ct state new counter accept
+
 		# Accept ICMPv4
 		ip protocol icmp icmp type {
 			echo-reply,