Disable incoming ping and change WAN zone forward and input from reject to drop.
Example custom rule to limit connection rate towards your rule.
Add into a new file with .nft extension in /etc/nftables.d/
(Filter line is optimal bytecode-wise, limiter is copied from fw4 default, may need changed. It keeps your server up while may drop legit clients under attack)
chain mangle_prerouting {
type filter hook prerouting priority mangle; policy accept;
iif $wan_devices ct state new meta l4proto . th dport vmap { tcp . 25565 : jump mines, udp . 25565 : jump mines}
}
chain mines {
counter limit rate 5/second burst 50 packets counter return
drop
}
Run fw4 check to confirm resulting ruleset is OK
Observe 2 counters using nft list ruleset once you feel under attack.
Either way - I am interested in any result to improve default fw4 setup.