Greetings, There is some discussion on another list about dealing with the problem of a type of spoofed SSH connection. Here is a description of the problem, along with how to use tcpdump to identify it: https://delroth.net/posts/spoofed-mass-scan-abuse/ One solution offered in a message on the other list was to add the following rule into its own table: nft add rule ip accounting input \ tcp sport 22 tcp flags == syn\|ack counter The following seems to load without error and I have some beginner level questions. Specifically, I wonder how or if it does the job. Also, 1) Do port 22 IPv4 packets pass through both tables? They seem to. But how can I verify that? 2) Is a second similar table needed for IPv6? 3) Are the counters for port 22 in the 'filter4' table redundant with the counters for port 22 in the 'accounting' table? Any explanations or corrections welcome. /Lars #!/usr/sbin/nft -f # vim:set ts=4: flush ruleset table ip filter4 { chain input { type filter hook input priority filter; policy drop; iif "lo" ip saddr 127.0.0.0/8 \ ip daddr 127.0.0.0/8 counter accept ct state established,related counter accept icmp type echo-request limit rate 1/second \ counter accept tcp dport 22 ct state new limit rate 4/minute \ counter accept counter reject } chain output { type filter hook output priority filter; policy drop; oif "lo" ip saddr 127.0.0.0/8 \ ip daddr 127.0.0.0/8 counter accept ip protocol tcp counter accept ip protocol udp counter accept ip protocol icmp counter accept counter reject } } table ip accounting { chain input { type filter hook input priority filter; policy accept; tcp sport 22 tcp flags == 0x12 counter } chain output { type filter hook output priority filter; policy accept; } }