diff --git a/etc/nftables.conf b/etc/nftables.conf
new file mode 100644
index 0000000..fde9961
--- /dev/null
+++ b/etc/nftables.conf
@@ -0,0 +1,40 @@
+#!/usr/bin/nft -f
+# vim:set ts=2 sw=2 et:
+
+flush ruleset
+
+table inet filter {
+	chain input {
+		type filter hook input priority filter; policy drop;
+
+		iif lo counter accept comment "accept any localhost traffic"
+		ct state { established, related } counter accept comment "accept established,related"
+		ct state invalid counter drop comment "drop invalid"
+		meta l4proto { icmp, ipv6-icmp } counter accept comment "accept ICMP"
+
+		tcp dport ssh ct state { new } counter accept comment "accept new SSH connections"
+
+		counter comment "count any other dropped traffic"
+	}
+
+	chain output {
+		type filter hook output priority filter; policy drop;
+
+		iif lo counter accept comment "accept any localhost traffic"
+		ct state { established, related } counter accept comment "accept established,related"
+		ct state invalid counter drop comment "drop invalid"
+		meta l4proto { icmp, ipv6-icmp } counter accept comment "accept ICMP"
+
+		ct state new counter accept comment "accept new outbound connections"
+
+		counter comment "count any other dropped traffic"
+	}
+
+	chain forward {
+		type filter hook forward priority filter; policy drop;
+
+		# Drop everything forwarded to us. This device is not a router and does not forward.
+
+		counter comment "count dropped traffic"
+	}
+}
diff --git a/install-arch-linux.sh b/install-arch-linux.sh
index f8ccfa1..3c60b53 100755
--- a/install-arch-linux.sh
+++ b/install-arch-linux.sh
@@ -123,7 +123,7 @@ pacstrap -K /mnt	base \
 			less \
 			tmux \
 			sudo \
-			ufw \
+			iptables-nft \
 			openssh \
 			usbguard
 
@@ -190,6 +190,9 @@ arch-chroot /mnt useradd -m -G wheel $username
 print "Please set the password for your new account."
 arch-chroot /mnt passwd $username
 
+print "Installing default configuration files..."
+cp -r ./etc /mnt
+
 print "Setting up systemd-resolved..."
 arch-chroot /mnt sed -i "s|^#MulticastDNS=yes|MulticastDNS=no|" /etc/systemd/resolved.conf
 arch-chroot /mnt sed -i "s|^#LLMNR=yes|LLMNR=no|" /etc/systemd/resolved.conf
@@ -239,6 +242,9 @@ RouteMetric=200
 EOF
 arch-chroot /mnt systemctl enable systemd-networkd.service
 
+print "Enabling nftables firewall..."
+arch-chroot /mnt systemctl enable nftables.service
+
 print "Would you like to install iwd for Wi-Fi support? Enter 'y' exactly for yes, otherwise anything else to skip."
 read install_iwd