Problem/Justification
It would be good if there was a supported way to configure the host firewall (nftables/nft) on TrueNAS SCALE. It does not need to support all of the functionality of nftables, such as NAT and forwarding, just the ability to set the default policies (inbound/outbound default ALLOW or DENY) and add explicit rules, perhaps with some predefined/automatic rules for supported services like NFS, SMB, and HTTP(S). “Defense in depth” is considered a cornerstone of a good security posture, and that includes combining host level firewalls with network firewalls.
Impact
This feature would have the impact of allowing all users to improve their security posture if they so desire. To avoid a negative impact to existing users who do not wish to use the firewall, the default could possibly remain to allow all traffic, requiring users to opt-in to more explicit firewall configuration.
User Story
A user could either explicitly block a known-bad host or network if they wish to keep using default ALLOW, or they could use default DENY with rules to allow access to specific ports from only the hosts and networks they determine should have such access. This would provide defense in depth, by not only allowing the user to not trust all hosts on their LAN but it can also provide protection against compromises or configuration errors on other parts of the network such as the network firewall. For instance, a configuration change on the network firewall could inadvertently allow inbound access from the world to any port on the TrueNAS system; with a host firewall on the TrueNAS system, the risk of such an incident is mitigated.
since TrueNAS already has its own middleware, directly creating rules for nft probably makes the most sense but ufw (default on debian) or firewalld are other options.