diff --git a/nftables-attestation.conf b/nftables-attestation.conf
index 8bdd8f8..2de04a7 100644
--- a/nftables-attestation.conf
+++ b/nftables-attestation.conf
@@ -42,9 +42,8 @@ table inet filter {
         # drop packets to address not configured on incoming interface (strong host model)
         fib daddr . iif type != { local, broadcast, multicast } counter drop
 
-        tcp dport 443 notrack accept
-        tcp dport { 22, 80 } tcp flags syn limit rate 1024/second accept
-        tcp dport { 22, 80 } tcp flags syn counter notrack accept
+        tcp dport { 22, 80, 443 } tcp flags syn limit rate 1024/second accept
+        tcp dport { 22, 80, 443 } tcp flags syn counter notrack accept
         meta l4proto { icmp, ipv6-icmp } notrack accept
     }
 
@@ -53,23 +52,22 @@ table inet filter {
         policy drop
 
         iif lo goto input-loopback
-        tcp dport 443 accept
         meta l4proto { icmp, ipv6-icmp } accept
         ct state vmap { new : goto input-new, established : goto input-established, related : accept }
 
         tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
         tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
-        tcp dport 80 ip saddr @ip-connlimit-main counter reject with tcp reset
-        tcp dport 80 ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
-        tcp dport { 22, 80 } synproxy mss 1460 wscale 7 timestamp sack-perm
+        tcp dport { 80, 443 } ip saddr @ip-connlimit-main counter reject with tcp reset
+        tcp dport { 80, 443 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
+        tcp dport { 22, 80, 443 } synproxy mss 1460 wscale 7 timestamp sack-perm
     }
 
     chain input-new {
-        tcp dport != { 22, 80 } goto graceful-reject
+        tcp dport != { 22, 80, 443 } goto graceful-reject
         tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
         tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
-        tcp dport 80 ip saddr @ip-connlimit-main counter reject with tcp reset
-        tcp dport 80 ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
+        tcp dport { 80, 443 } ip saddr @ip-connlimit-main counter reject with tcp reset
+        tcp dport { 80, 443 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
         accept
     }
 
@@ -77,8 +75,8 @@ table inet filter {
         ct mark 0x1 accept
         tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
         tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
-        tcp dport 80 add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
-        tcp dport 80 add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
+        tcp dport { 80, 443 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
+        tcp dport { 80, 443 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
         ct mark set 0x1 accept
     }
 
@@ -86,8 +84,8 @@ table inet filter {
         tcp flags != syn accept
         tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
         tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
-        tcp dport 80 add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
-        tcp dport 80 add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
+        tcp dport { 80, 443 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
+        tcp dport { 80, 443 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
         ct mark set 0x1 accept
     }
 
@@ -100,7 +98,6 @@ table inet filter {
         type filter hook output priority raw
 
         oif lo notrack accept
-        tcp sport 443 notrack accept
         meta l4proto { icmp, ipv6-icmp } notrack accept
     }
 
diff --git a/nftables-discuss.conf b/nftables-discuss.conf
index 26c0567..7af2391 100644
--- a/nftables-discuss.conf
+++ b/nftables-discuss.conf
@@ -42,12 +42,8 @@ table inet filter {
         # drop packets to address not configured on incoming interface (strong host model)
         fib daddr . iif type != { local, broadcast, multicast } counter drop
 
-        # IPv6 interacts badly with IP-based spam filtering
-        meta nfproto ipv6 tcp dport { 80, 443 } reject with tcp reset
-
-        tcp dport 443 notrack accept
-        tcp dport { 22, 80 } tcp flags syn limit rate 1024/second accept
-        tcp dport { 22, 80 } tcp flags syn counter notrack accept
+        tcp dport { 22, 80, 443 } tcp flags syn limit rate 1024/second accept
+        tcp dport { 22, 80, 443 } tcp flags syn counter notrack accept
         meta l4proto { icmp, ipv6-icmp } notrack accept
     }
 
@@ -56,23 +52,22 @@ table inet filter {
         policy drop
 
         iif lo goto input-loopback
-        tcp dport 443 accept
         meta l4proto { icmp, ipv6-icmp } accept
         ct state vmap { new : goto input-new, established : goto input-established, related : accept }
 
         tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
         tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
-        tcp dport 80 ip saddr @ip-connlimit-main counter reject with tcp reset
-        tcp dport 80 ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
-        tcp dport { 22, 80 } synproxy mss 1460 wscale 7 timestamp sack-perm
+        tcp dport { 80, 443 } ip saddr @ip-connlimit-main counter reject with tcp reset
+        tcp dport { 80, 443 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
+        tcp dport { 22, 80, 443 } synproxy mss 1460 wscale 7 timestamp sack-perm
     }
 
     chain input-new {
-        tcp dport != { 22, 80 } goto graceful-reject
+        tcp dport != { 22, 80, 443 } goto graceful-reject
         tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
         tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
-        tcp dport 80 ip saddr @ip-connlimit-main counter reject with tcp reset
-        tcp dport 80 ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
+        tcp dport { 80, 443 } ip saddr @ip-connlimit-main counter reject with tcp reset
+        tcp dport { 80, 443 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
         accept
     }
 
@@ -80,8 +75,8 @@ table inet filter {
         ct mark 0x1 accept
         tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
         tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
-        tcp dport 80 add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
-        tcp dport 80 add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
+        tcp dport { 80, 443 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
+        tcp dport { 80, 443 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
         ct mark set 0x1 accept
     }
 
@@ -89,8 +84,8 @@ table inet filter {
         tcp flags != syn accept
         tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
         tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
-        tcp dport 80 add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
-        tcp dport 80 add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
+        tcp dport { 80, 443 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
+        tcp dport { 80, 443 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
         ct mark set 0x1 accept
     }
 
@@ -103,7 +98,6 @@ table inet filter {
         type filter hook output priority raw
 
         oif lo notrack accept
-        tcp sport 443 notrack accept
         meta l4proto { icmp, ipv6-icmp } notrack accept
     }
 
diff --git a/nftables-mail.conf b/nftables-mail.conf
index f135284..4e8ff8b 100644
--- a/nftables-mail.conf
+++ b/nftables-mail.conf
@@ -42,9 +42,8 @@ table inet filter {
         # drop packets to address not configured on incoming interface (strong host model)
         fib daddr . iif type != { local, broadcast, multicast } counter drop
 
-        tcp dport { 25, 465, 993 } notrack accept
-        tcp dport { 22, 80, 443 } tcp flags syn limit rate 1024/second accept
-        tcp dport { 22, 80, 443 } tcp flags syn counter notrack accept
+        tcp dport { 22, 25, 80, 443, 465, 993 } tcp flags syn limit rate 1024/second accept
+        tcp dport { 22, 25, 80, 443, 465, 993 } tcp flags syn counter notrack accept
         meta l4proto { icmp, ipv6-icmp } notrack accept
     }
 
@@ -53,23 +52,22 @@ table inet filter {
         policy drop
 
         iif lo goto input-loopback
-        tcp dport { 25, 465, 993 } accept
         meta l4proto { icmp, ipv6-icmp } accept
         ct state vmap { new : goto input-new, established : goto input-established, related : accept }
 
         tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
         tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
-        tcp dport { 80, 443 } ip saddr @ip-connlimit-main counter reject with tcp reset
-        tcp dport { 80, 443 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
-        tcp dport { 22, 80, 443 } synproxy mss 1460 wscale 7 timestamp sack-perm
+        tcp dport { 25, 80, 443, 465, 993 } ip saddr @ip-connlimit-main counter reject with tcp reset
+        tcp dport { 25, 80, 443, 465, 993 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
+        tcp dport { 22, 25, 80, 443, 465, 993 } synproxy mss 1460 wscale 7 timestamp sack-perm
     }
 
     chain input-new {
-        tcp dport != { 22, 80, 443 } goto graceful-reject
+        tcp dport != { 22, 25, 80, 443, 465, 993 } goto graceful-reject
         tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
         tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
-        tcp dport { 80, 443 } ip saddr @ip-connlimit-main counter reject with tcp reset
-        tcp dport { 80, 443 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
+        tcp dport { 25, 80, 443, 465, 993 } ip saddr @ip-connlimit-main counter reject with tcp reset
+        tcp dport { 25, 80, 443, 465, 993 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
         accept
     }
 
@@ -77,8 +75,8 @@ table inet filter {
         ct mark 0x1 accept
         tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
         tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
-        tcp dport { 80, 443 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
-        tcp dport { 80, 443 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
+        tcp dport { 25, 80, 443, 465, 993 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
+        tcp dport { 25, 80, 443, 465, 993 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
         ct mark set 0x1 accept
     }
 
@@ -86,8 +84,8 @@ table inet filter {
         tcp flags != syn accept
         tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
         tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
-        tcp dport { 80, 443 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
-        tcp dport { 80, 443 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
+        tcp dport { 25, 80, 443, 465, 993 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
+        tcp dport { 25, 80, 443, 465, 993 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
         ct mark set 0x1 accept
     }
 
@@ -100,7 +98,6 @@ table inet filter {
         type filter hook output priority raw
 
         oif lo notrack accept
-        tcp sport { 25, 465, 993 } notrack accept
         meta l4proto { icmp, ipv6-icmp } notrack accept
     }
 
diff --git a/nftables-matrix.conf b/nftables-matrix.conf
index 5a81857..128068b 100644
--- a/nftables-matrix.conf
+++ b/nftables-matrix.conf
@@ -42,9 +42,8 @@ table inet filter {
         # drop packets to address not configured on incoming interface (strong host model)
         fib daddr . iif type != { local, broadcast, multicast } counter drop
 
-        tcp dport 443 notrack accept
-        tcp dport { 22, 80 } tcp flags syn limit rate 1024/second accept
-        tcp dport { 22, 80 } tcp flags syn counter notrack accept
+        tcp dport { 22, 80, 443 } tcp flags syn limit rate 1024/second accept
+        tcp dport { 22, 80, 443 } tcp flags syn counter notrack accept
         meta l4proto { icmp, ipv6-icmp } notrack accept
     }
 
@@ -53,23 +52,22 @@ table inet filter {
         policy drop
 
         iif lo goto input-loopback
-        tcp dport 443 accept
         meta l4proto { icmp, ipv6-icmp } accept
         ct state vmap { new : goto input-new, established : goto input-established, related : accept }
 
         tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
         tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
-        tcp dport 80 ip saddr @ip-connlimit-main counter reject with tcp reset
-        tcp dport 80 ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
-        tcp dport { 22, 80 } synproxy mss 1460 wscale 7 timestamp sack-perm
+        tcp dport { 80, 443 } ip saddr @ip-connlimit-main counter reject with tcp reset
+        tcp dport { 80, 443 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
+        tcp dport { 22, 80, 443 } synproxy mss 1460 wscale 7 timestamp sack-perm
     }
 
     chain input-new {
-        tcp dport != { 22, 80 } goto graceful-reject
+        tcp dport != { 22, 80, 443 } goto graceful-reject
         tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
         tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
-        tcp dport 80 ip saddr @ip-connlimit-main counter reject with tcp reset
-        tcp dport 80 ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
+        tcp dport { 80, 443 } ip saddr @ip-connlimit-main counter reject with tcp reset
+        tcp dport { 80, 443 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
         accept
     }
 
@@ -77,8 +75,8 @@ table inet filter {
         ct mark 0x1 accept
         tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
         tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
-        tcp dport 80 add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
-        tcp dport 80 add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
+        tcp dport { 80, 443 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
+        tcp dport { 80, 443 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
         ct mark set 0x1 accept
     }
 
@@ -86,8 +84,8 @@ table inet filter {
         tcp flags != syn accept
         tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
         tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
-        tcp dport 80 add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
-        tcp dport 80 add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
+        tcp dport { 80, 443 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
+        tcp dport { 80, 443 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
         ct mark set 0x1 accept
     }
 
@@ -100,7 +98,6 @@ table inet filter {
         type filter hook output priority raw
 
         oif lo notrack accept
-        tcp sport 443 notrack accept
         meta l4proto { icmp, ipv6-icmp } notrack accept
     }
 
diff --git a/nftables-network.conf b/nftables-network.conf
index d9b9bdc..e880325 100644
--- a/nftables-network.conf
+++ b/nftables-network.conf
@@ -44,9 +44,8 @@ table inet filter {
         # drop packets to address not configured on incoming interface (strong host model)
         fib daddr . iif type != { local, broadcast, multicast } counter drop
 
-        tcp dport { 80, 443 } notrack accept
-        tcp dport { 22, 7275 } tcp flags syn limit rate 1024/second accept
-        tcp dport { 22, 7275 } tcp flags syn counter notrack accept
+        tcp dport { 22, 80, 443, 7275 } tcp flags syn limit rate 1024/second accept
+        tcp dport { 22, 80, 443, 7275 } tcp flags syn counter notrack accept
         udp dport 123 notrack accept
         meta l4proto { icmp, ipv6-icmp } notrack accept
     }
@@ -56,24 +55,23 @@ table inet filter {
         policy drop
 
         iif lo goto input-loopback
-        tcp dport { 80, 443 } accept
         udp dport 123 accept
         meta l4proto { icmp, ipv6-icmp } accept
         ct state vmap { new : goto input-new, established : goto input-established, related : accept }
 
         tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
         tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
-        tcp dport 7275 ip saddr @ip-connlimit-main counter reject with tcp reset
-        tcp dport 7275 ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
-        tcp dport { 22, 7275 } synproxy mss 1460 wscale 7 timestamp sack-perm
+        tcp dport { 80, 443, 7275 } ip saddr @ip-connlimit-main counter reject with tcp reset
+        tcp dport { 80, 443, 7275 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
+        tcp dport { 22, 80, 443, 7275 } synproxy mss 1460 wscale 7 timestamp sack-perm
     }
 
     chain input-new {
-        tcp dport != { 22, 7275 } goto graceful-reject
+        tcp dport != { 22, 80, 443, 7275 } goto graceful-reject
         tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
         tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
-        tcp dport 7275 ip saddr @ip-connlimit-main counter reject with tcp reset
-        tcp dport 7275 ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
+        tcp dport { 80, 443, 7275 } ip saddr @ip-connlimit-main counter reject with tcp reset
+        tcp dport { 80, 443, 7275 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
         accept
     }
 
@@ -81,8 +79,8 @@ table inet filter {
         ct mark 0x1 accept
         tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
         tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
-        tcp dport 7275 add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
-        tcp dport 7275 add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
+        tcp dport { 80, 443, 7275 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
+        tcp dport { 80, 443, 7275 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
         ct mark set 0x1 accept
     }
 
@@ -90,8 +88,8 @@ table inet filter {
         tcp flags != syn accept
         tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
         tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
-        tcp dport 7275 add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
-        tcp dport 7275 add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
+        tcp dport { 80, 443, 7275 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
+        tcp dport { 80, 443, 7275 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
         ct mark set 0x1 accept
     }
 
@@ -104,7 +102,6 @@ table inet filter {
         type filter hook output priority raw
 
         oif lo notrack accept
-        tcp sport { 80, 443 } notrack accept
         udp sport 123 notrack accept
         meta l4proto { icmp, ipv6-icmp } notrack accept
     }
diff --git a/nftables-social.conf b/nftables-social.conf
index cd8fb4b..5fe9fbf 100644
--- a/nftables-social.conf
+++ b/nftables-social.conf
@@ -42,9 +42,8 @@ table inet filter {
         # drop packets to address not configured on incoming interface (strong host model)
         fib daddr . iif type != { local, broadcast, multicast } counter drop
 
-        tcp dport 443 notrack accept
-        tcp dport { 22, 80 } tcp flags syn limit rate 1024/second accept
-        tcp dport { 22, 80 } tcp flags syn counter notrack accept
+        tcp dport { 22, 80, 443 } tcp flags syn limit rate 1024/second accept
+        tcp dport { 22, 80, 443 } tcp flags syn counter notrack accept
         meta l4proto { icmp, ipv6-icmp } notrack accept
     }
 
@@ -53,23 +52,22 @@ table inet filter {
         policy drop
 
         iif lo goto input-loopback
-        tcp dport 443 accept
         meta l4proto { icmp, ipv6-icmp } accept
         ct state vmap { new : goto input-new, established : goto input-established, related : accept }
 
         tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
         tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
-        tcp dport 80 ip saddr @ip-connlimit-main counter reject with tcp reset
-        tcp dport 80 ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
-        tcp dport { 22, 80 } synproxy mss 1460 wscale 7 timestamp sack-perm
+        tcp dport { 80, 443 } ip saddr @ip-connlimit-main counter reject with tcp reset
+        tcp dport { 80, 443 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
+        tcp dport { 22, 80, 443 } synproxy mss 1460 wscale 7 timestamp sack-perm
     }
 
     chain input-new {
-        tcp dport != { 22, 80 } goto graceful-reject
+        tcp dport != { 22, 80, 443 } goto graceful-reject
         tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
         tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
-        tcp dport 80 ip saddr @ip-connlimit-main counter reject with tcp reset
-        tcp dport 80 ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
+        tcp dport { 80, 443 } ip saddr @ip-connlimit-main counter reject with tcp reset
+        tcp dport { 80, 443 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
         accept
     }
 
@@ -77,8 +75,8 @@ table inet filter {
         ct mark 0x1 accept
         tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
         tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
-        tcp dport 80 add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
-        tcp dport 80 add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
+        tcp dport { 80, 443 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
+        tcp dport { 80, 443 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
         ct mark set 0x1 accept
     }
 
@@ -86,8 +84,8 @@ table inet filter {
         tcp flags != syn accept
         tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
         tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
-        tcp dport 80 add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
-        tcp dport 80 add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
+        tcp dport { 80, 443 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
+        tcp dport { 80, 443 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
         ct mark set 0x1 accept
     }
 
@@ -100,7 +98,6 @@ table inet filter {
         type filter hook output priority raw
 
         oif lo notrack accept
-        tcp sport 443 notrack accept
         meta l4proto { icmp, ipv6-icmp } notrack accept
     }
 
diff --git a/nftables-web.conf b/nftables-web.conf
index 7c5c3d9..288a1df 100644
--- a/nftables-web.conf
+++ b/nftables-web.conf
@@ -46,9 +46,8 @@ table inet filter {
         # drop packets to address not configured on incoming interface (strong host model)
         fib daddr . iif type != { local, broadcast, multicast } counter drop
 
-        tcp dport 443 notrack accept
-        tcp dport { 22, 80 } tcp flags syn limit rate 1024/second accept
-        tcp dport { 22, 80 } tcp flags syn counter notrack accept
+        tcp dport { 22, 80, 443 } tcp flags syn limit rate 1024/second accept
+        tcp dport { 22, 80, 443 } tcp flags syn counter notrack accept
         meta l4proto { icmp, ipv6-icmp } notrack accept
     }
 
@@ -57,23 +56,22 @@ table inet filter {
         policy drop
 
         iif lo goto input-loopback
-        tcp dport 443 accept
         meta l4proto { icmp, ipv6-icmp } accept
         ct state vmap { new : goto input-new, established : goto input-established, related : accept }
 
         tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
         tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
-        tcp dport 80 ip saddr @ip-connlimit-main counter reject with tcp reset
-        tcp dport 80 ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
-        tcp dport { 22, 80 } synproxy mss 1460 wscale 7 timestamp sack-perm
+        tcp dport { 80, 443 } ip saddr @ip-connlimit-main counter reject with tcp reset
+        tcp dport { 80, 443 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
+        tcp dport { 22, 80, 443 } synproxy mss 1460 wscale 7 timestamp sack-perm
     }
 
     chain input-new {
-        tcp dport != { 22, 80 } goto graceful-reject
+        tcp dport != { 22, 80, 443 } goto graceful-reject
         tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
         tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
-        tcp dport 80 ip saddr @ip-connlimit-main counter reject with tcp reset
-        tcp dport 80 ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
+        tcp dport { 80, 443 } ip saddr @ip-connlimit-main counter reject with tcp reset
+        tcp dport { 80, 443 } ip6 saddr and ffff:ffff:ffff:ffff:: @ip6-connlimit-main counter reject with tcp reset
         accept
     }
 
@@ -81,8 +79,8 @@ table inet filter {
         ct mark 0x1 accept
         tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
         tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
-        tcp dport 80 add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
-        tcp dport 80 add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
+        tcp dport { 80, 443 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
+        tcp dport { 80, 443 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
         ct mark set 0x1 accept
     }
 
@@ -90,8 +88,8 @@ table inet filter {
         tcp flags != syn accept
         tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
         tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
-        tcp dport 80 add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
-        tcp dport 80 add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
+        tcp dport { 80, 443 } add @ip-connlimit-main { ip saddr ct count over 32 } counter reject with tcp reset
+        tcp dport { 80, 443 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 32 } counter reject with tcp reset
         ct mark set 0x1 accept
     }
 
@@ -104,7 +102,6 @@ table inet filter {
         type filter hook output priority raw
 
         oif lo notrack accept
-        tcp sport 443 notrack accept
         meta l4proto { icmp, ipv6-icmp } notrack accept
     }