Confused about how some of the nftable rules work

[smahm006]

Hello erebe,

Firstly thank you for leaving this repo public I am learning a lot just by reading through the material. I am trying to understand the firewall rules you have set and I am confused about a drop rule you have set in your nodes/server/config/nftables.rules.

tcp dport {22, 25, 465, 2222} ct state new, untracked limit rate over 5/minute add @denylist { ip saddr } comment "add to blacklist"
ip saddr @denylist drop comment "dont allow blacklisted ip"

Now if I undestand correctly if any TCP packets with destination ports 22, 25, 465, or 2222 with a connection tracking state of new or untracked are found, to add them to the deny list and then to drop all of them.

But what I don't understand is wouldn't this block your own first time SSH connections and emails as well? If you wanted to SSH into your server from a new machine how could you do so?

[erebe]

Hello,

You are reading correctly, you just miss this part limit rate over 5/minute add it will add the ip to the denylist/blacklist only if the same ip is trying to establish new connection more 5 time per minute.

limit rate over 5/minute is the rule/condition to match
add @denylist { ip saddr } is the action to take if the condition match

[smahm006]

Ah ok that makes sense thank you 👍