diff --git a/monitor-dev.cert.sunet.se/overlay/etc/hiera/data/local.yaml b/monitor-dev.cert.sunet.se/overlay/etc/hiera/data/local.yaml
new file mode 100644
index 0000000..05941be
--- /dev/null
+++ b/monitor-dev.cert.sunet.se/overlay/etc/hiera/data/local.yaml
@@ -0,0 +1,6 @@
+---
+nrpe_clients:
+   - 127.0.0.1
+   - 127.0.1.1
+   - 89.47.185.162
+   - 172.16.0.0/20
diff --git a/monitor-dev.cert.sunet.se/overlay/etc/nftables.conf b/monitor-dev.cert.sunet.se/overlay/etc/nftables.conf
new file mode 100644
index 0000000..e088184
--- /dev/null
+++ b/monitor-dev.cert.sunet.se/overlay/etc/nftables.conf
@@ -0,0 +1,35 @@
+#!/usr/sbin/nft -f
+#
+
+flush ruleset
+
+table inet filter {
+	chain input {
+		type filter hook input priority 0; policy drop;
+
+		# accept any localhost traffic
+		iif lo counter accept
+		iifname "br-*" counter accept
+
+		# accept icmp
+		ip protocol icmp counter accept
+		ip6 nexthdr icmpv6 icmpv6 type { destination-unreachable, packet-too-big, time-exceeded,
+						 parameter-problem, echo-request, mld-listener-query,
+						 nd-router-solicit, nd-router-advert, nd-neighbor-solicit,
+						 nd-neighbor-advert } counter accept
+
+		# accept traffic originated from us
+		ct state established counter accept
+		# silently drop invalid packets
+		ct state invalid counter drop
+	}
+	chain forward {
+		type filter hook forward priority 0; policy drop;
+	}
+	chain output {
+		type filter hook output priority 0;
+	}
+}
+
+# include all the other files that may be deployed by puppet
+include "/etc/nftables/conf.d/*.nft"