Following extensive testing under real-world attack conditions, we have promoted our nftables firewall engine to full production mode. The ruleset now operates across three layers: a netdev ingress hook at the NIC level for instant bogon and invalid flag drops, a stateless raw prerouting chain for rate-based fuses before conntrack, and a stateful protection table for per-service connection tracking.
Key changes include the introduction of a global SYN circuit breaker as a last-resort flood defense, refined per-IP SYN and packet-rate meters, and improved amplification reflection drop logic. UDP DNS processing has been optimized with selective connection tracking bypass to maximize query throughput during flood conditions.
Our nftables ruleset has been fully migrated to production mode with refined per-IP rate limiting, a global SYN circuit breaker, and improved amplification reflection defense.
Highlights
- Three-layer packet filtering architecture (netdev → raw → stateful)
- Global SYN circuit breaker for last-resort flood defense
- Per-IP SYN and packet-rate meters in full production mode
- Improved UDP/53 throughput via selective conntrack bypass
- Hardened amplification reflection defense with rate-limited logging