diff --git a/fwrules/templates/firewall.nft.j2 b/fwrules/templates/firewall.nft.j2
index c8232d0..e6ba718 100755
--- a/fwrules/templates/firewall.nft.j2
+++ b/fwrules/templates/firewall.nft.j2
@@ -9,7 +9,8 @@ table inet firewall {
     include "/etc/firewall/chains.nft";
 
     chain input {
-        type filter hook input priority -10; policy drop;
+        # This firewall chain should be the absolute last one to run.
+        type filter hook input priority 100; policy drop;
 
         # Fixup ICMPv6 to allow IPv6 communication
         icmpv6 type {