On 9/23/23 13:51, Christian wrote: ... In case of interest, the nft rules that I shared with David previously are available here [1]. This is a sample nftables ruleset for a laptop or workstation. It allows established / related packets to come back. These packets are returned after a connection is initiated from the local machine. e.g. going to a website, or sending an icmp ping. It supports local services running on same machine where nftables rules are installewd (these are services which are available to the internet): - DNS server - SSH server - WEB server for http and https including http/2 and http/3. Uncomment to turn on. It also allows blocking from a list of CIDR addresses. This prevents any IP from the blocked list any access to the above services offered on the machine. N.B. Replies from these "blocked" IPs, are still permitted to come back in if they are related/established. e.g. if you go to website hosted at a blocked IP everything should work normally. The reason this works, is that these 'blocks' are done in the 'inet' table. If you wanted to block inbound SYN and in addition block established/related - then add similar blocks for ingress hook in the 'netdev' table. Adding ingress blocks prevents any packets from those IPs from getting in - regardless if related/established. It is very early in the packet flow - see [2] for how the packets flow in nftables. ingress hook is not available in (legacy) iptables last I checked. gene [1] https://github.com/gene-git/blog/tree/master/nftables [2] https://wiki.nftables.org/wiki-nftables/index.php/Netfilter_hooks