diff --git a/etc/nftables/nftables-network.conf b/etc/nftables/nftables-network.conf
index 7b3f5f9..de59d65 100644
--- a/etc/nftables/nftables-network.conf
+++ b/etc/nftables/nftables-network.conf
@@ -51,11 +51,11 @@ table inet filter {
         # ordered after accepting loopback to permit using external IPs via loopback
         fib daddr . iif type != { local, broadcast, multicast } counter drop
 
+        udp dport $udp-ports notrack accept
+
         # handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion
         tcp dport $tcp-ports-full tcp flags syn limit rate over {{synproxy_threshold}}/second burst {{synproxy_threshold}} packets counter notrack accept
 
-        udp dport $udp-ports notrack accept
-
         meta l4proto { tcp, udp } accept
         icmp type { echo-reply, destination-unreachable, echo-request, time-exceeded, parameter-problem } notrack accept
         meta l4proto ipv6-icmp notrack accept