Hi, Not sure if I am missing something, but I keep running into connections being rejected that should be accepted from how I (think I :)) have defined the rules. I somehow get the feeling that the behavior below is related to nft rules only containing "new, untracked" but not related and established. Googled if there is a way to add these two states to rules, but did not find anything. A direct rule might help, but since these are discouraged for futureproofness, trying to figure out the "right" way. Working on a Debian 11 system, nftables backend. Example 1, syncthing: zone file knet.xml, amongst others: <service name="syncthing"/> <source-port port="22000" protocol="tcp"/> <source-port port="22000" protocol="udp"/> <rule family="ipv4"> <source address="192.168.1.1/24"/> <port port="22000" protocol="tcp"/> <accept/> </rule> <rule family="ipv4"> <source address="192.168.1.1/24"/> <port port="22000" protocol="udp"/> <accept/> </rule> Nicely translated into the nft ruleset (amongst others): ip saddr 192.168.1.0/24 tcp dport 22000 ct state { new, untracked } accept ip saddr 192.168.1.0/24 udp dport 22000 ct state { new, untracked } accept However, I still get these errors in syslog: filter_IN_knet_REJECT: "IN=enp2s0 OUT= MAC=<ANOM> SRC=192.168.1.54 DST=192.168.1.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=33526 DF PROTO=TCP SPT=22000 DPT=22000 WINDOW=65535 RES=0x00 SYN Example 2, Apache as an https proxy: <rule family="ipv4"> <source address="192.168.1.13"/> <source-port port="443" protocol="tcp"/> <accept/> </rule> ip saddr 192.168.1.13 tcp sport 443 ct state { new, untracked } accept "filter_IN_knet_REJECT: "IN=enp2s0 OUT= MAC=<ANOM> SRC=192.168.1.13 DST=192.168.1.1 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=443 DPT=34860 WINDOW=0 RES=0x00 RST URGP=0 What's going on here? Thanks a lot for your help and best regards