nftables baseline: default-deny, service sets, logged drops
Design: one inet table, stateful allows, explicit service sets, rate-limited logging of drops. Simple to reason about. 1) Ruleset # /etc/nftables.conf table inet filter { sets { admin_srcs { type ipv4_addr; flags interval; elements = { 203.0.113.0/24 } } } chains { input { type filter hook input priority 0; policy drop; ct state established,related … Read more