diff --git a/nftables-network.conf b/nftables-network.conf
index fba5eca..4d5ef19 100644
--- a/nftables-network.conf
+++ b/nftables-network.conf
@@ -23,6 +23,16 @@ table inet filter {
         flags dynamic
     }
 
+    set ip-connlimit-supl {
+        type ipv4_addr
+        flags dynamic
+    }
+
+    set ip6-connlimit-supl {
+        type ipv6_addr
+        flags dynamic
+    }
+
     chain prerouting-raw {
         type filter hook prerouting priority raw
 
@@ -34,8 +44,8 @@ table inet filter {
         # drop packets to address not configured on incoming interface (strong host model)
         fib daddr . iif type != { local, broadcast, multicast } counter drop
 
-        tcp dport { 80, 443, 7275 } notrack accept
-        tcp dport 22 tcp flags syn notrack accept
+        tcp dport { 80, 443 } notrack accept
+        tcp dport { 22, 7275 } tcp flags syn notrack accept
         udp dport 123 notrack accept
         meta l4proto { icmp, ipv6-icmp } notrack accept
     }
@@ -44,7 +54,7 @@ table inet filter {
         type filter hook output priority raw
 
         oif lo notrack accept
-        tcp sport { 80, 443, 7275 } notrack accept
+        tcp sport { 80, 443 } notrack accept
         udp sport 123 notrack accept
         meta l4proto { icmp, ipv6-icmp } notrack accept
     }
@@ -54,7 +64,7 @@ table inet filter {
         policy drop
 
         iif lo goto input-loopback
-        tcp dport { 80, 443, 7275 } accept
+        tcp dport { 80, 443 } accept
         udp dport 123 accept
         meta l4proto { icmp, ipv6-icmp } accept
         ct state vmap { established : accept, related : accept, new : goto graceful-reject }
@@ -62,11 +72,16 @@ table inet filter {
         tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
         tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
         tcp dport 22 synproxy mss 1460 wscale 7 timestamp sack-perm
+        tcp dport 7275 ip saddr @ip-connlimit-supl counter reject with tcp reset
+        tcp dport 7275 ip6 saddr @ip6-connlimit-supl counter reject with tcp reset
+        tcp dport 7275 synproxy mss 1460 wscale 7 timestamp sack-perm
     }
 
     chain input-loopback {
         tcp dport 22 tcp flags syn ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
         tcp dport 22 tcp flags syn ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
+        tcp dport 7275 tcp flags syn add @ip-connlimit-supl { ip saddr ct count over 32 } counter reject with tcp reset
+        tcp dport 7275 tcp flags syn add @ip6-connlimit-supl { ip6 saddr ct count over 32 } counter reject with tcp reset
         accept
     }