diff --git a/uncloud/hack/hackcloud/nftrules b/uncloud/hack/hackcloud/nftrules
index 661d91f..035b3a8 100644
--- a/uncloud/hack/hackcloud/nftrules
+++ b/uncloud/hack/hackcloud/nftrules
@@ -1,32 +1,64 @@
 flush ruleset
 
 table bridge filter {
-       chain prerouting {
-                type filter hook prerouting priority 0;
-                policy accept;
-                ibrname br100 jump netpublic
-                }
-       chain netpublic {
+    chain prerouting {
+        type filter hook prerouting priority 0;
+        policy accept;
 
-             iifname tap1 jump vm1
+        ibrname br100 jump netpublic
+    }
 
-             icmpv6 type {nd-router-solicit, nd-router-advert,
-       nd-neighbor-solicit, nd-neighbor-advert, nd-redirect } log
+    chain netpublic {
+        iifname vxlan100 jump from_uncloud
 
-       }
-       chain vm1 {
-             ether saddr != 02:00:f0:a9:c4:4e drop
-       }
+        # Default blocks: router advertisements, dhcpv6, dhcpv4
+        icmpv6 type nd-router-advert drop
+        ip6 version 6 udp sport 547 drop
+        ip  version 4 udp sport 67 drop
+
+        # Individual blocks
+        iifname tap1 jump vm1
+    }
+
+    chain vm1 {
+        ether saddr != 02:00:f0:a9:c4:4e drop
+        ip6   saddr != 2a0a:e5c1:111:888:0:f0ff:fea9:c44e drop
+    }
+
+    chain from_uncloud {
+        accept
+    }
 }
 
-table ip6 filter {
-        chain forward {
-                type filter hook forward priority 0;
+# table ip6 filter {
+#         chain forward {
+#                 type filter hook forward priority 0;
 
-       #         policy drop;
+#        #         policy drop;
 
-                ct state established,related accept;
+#                 ct state established,related accept;
 
-        }
+#         }
 
-}
+# }
+
+# table ip filter {
+#         chain input {
+#                 type filter hook input priority filter; policy drop;
+#                 iif "lo" accept
+#                 icmp type { echo-reply, destination-unreachable, source-quench, redirect, echo-request, router-advertisement, router-solicitation, time-exceeded, parameter-problem, timestamp-request, timestamp-reply, info-request, info-reply, address-mask-request, address-mask-reply } accept
+#                 ct state established,related accept
+#                 tcp dport { 22 } accept
+#                 log prefix "firewall-ipv4: "
+#                 udp sport 67 drop
+#         }
+
+#         chain forward {
+#                 type filter hook forward priority filter; policy drop;
+#                 log prefix "firewall-ipv4: "
+#         }
+
+#         chain output {
+#                 type filter hook output priority filter; policy accept;
+#         }
+# }