{ hostName, config, lib, ... }:

lib.mkIf config.site.hosts.${hostName}.firewall.enable {
  networking.firewall = {
    enable = true;
    extraCommands = ''
      ip46tables -A FORWARD -i core -m state --state ESTABLISHED,RELATED -j ACCEPT
      ip46tables -A FORWARD -i core -j REJECT --reject-with net-unreach
    '';
    extraStopCommands = ''
      ip46tables -F FORWARD
    '';
  };
}