Am 08.09.22 um 15:31 schrieb Tom:
On 2022-09-08 04:46, Reindl Harald wrote:
why do you make all that so complicated instead write a simple
ratelimit rule for ping apply to everyone and *before* have a set
which ACCEPTs a specific list of ip's if that's needed at all
OK, sounds good. Perhaps you're under the mistaken impression I'm a NFT
expert. Clearly I'm not. Perhaps you could suggest a resource where I
might find examples which solve my problem. Better yet, you could
provide a practical example. It would be appreciated
in a rulset any rule which is final (DROP, JEJECT, ACCEPT) skips
anything below
so you have a chain where you send only ICMP, write first the specific
rules and at last one the "everything else" decision not matter if it's
ACCEPT/DROP/REJECT
i use iptables-nft because i hate the new syntax and have thousands of
lines in scripts for configure and dispaly status of rulesets - but the
principles are the same for every firewall
