domain (ip ip6) {
    table filter {
        chain INPUT {
            proto tcp dport 389 ACCEPT;
            proto tcp dport 636 ACCEPT;
        }
    }
}