(I'm so sorry... my previous post is in failed format... please ignore) Hello @ all I'm still struggling anymore with the new syntax at ApplicationLayerGateway/FTP and testing with smallest steps. In doing so I have now come across the following effect. I have 2 test-rules here, both of which i expected to completely block any outgoing traffic. But as you can see from the second example in the counter, only here is blocked. The first example has no effect at all, everything works as if it was not blocked. # nft list ruleset table ip filter { chain output { type filter hook output priority 0; policy drop; meta pkttype { 0, 1, 2 } accept counter packets 0 bytes 0 reject with icmp 13 } } # nft list ruleset table ip filter { chain output { type filter hook output priority 0; policy drop; meta pkttype { 1, 2 } accept counter packets 1858 bytes 165434 reject with icmp 13 } } Is this a desired behavior, when a unicast-accept virtually neutralizes the complete filter? How do I deal with this problem? Best Regards Thomas