nftablesのルールを書いたのですが、添削・指摘をお願いします。

##添削・指摘をお願いします
nftablesのルールを調べて書いたのですが、合っているのか分かりません。添削・指摘をお願いします。
OSはUbuntu18.04LTS、nftablesのバージョンは0.8.2です

#!/usr/sbin/nft -f

# Reset
flush ruleset

# Load the external file of the IP list you want to drop
include "/etc/nftables/drop_ip_list.nft"

table inet filter {
  chain input {
    type filter hook input priority 0;
    
    # Default drop
    policy drop;
    
    # Allow ICMP
    ip protocol icmp counter accept;
    
    # Allow established communication
    ct state {established, related} accept;
    
    # Allow localhost
    iif lo accept;
    
    jump filter_broadcast;
    jump filter_fragments;
    jump filter_icmp;
    jump filter_synflood;
    jump filter_pingofdeath;
    jump filter_ipspoofing;
    jump drop_others;
    
    # Allow SSH
    tcp dport 12345 ct state new accept;
    
    # Allow Web
    tcp dport {80, 443} ct state new accept;
    
    jump drop_others;
  }

  chain forward {
    type filter hook forward priority 0;

    # Default drop
    policy drop;
    
    # Allow established communication
    ct state {established, related} accept;

    # Allow localhost
    iif lo accept;
  }

  chain output {
    type filter hook output priority 0;

    # Default accept
    policy accept;
  }

  chain filter_broadcast {
    pkttype != {broadcast, multicast} return;
    drop;
  }

  chain filter_fragments {
    ip frag-off & 0x1fff 0 return;
    limit rate 6/minute burst 10 packets log prefix "[NFTABLES FRAGMENT]: " level debug continue;
    drop;
  }

  chain filter_icmp {
    icmpv6 type {
    echo-request limit rate 10/minute
    destination-unreachable,
    packet-too-big,
    time-exceeded,
    parameter-problem,
    nd-router-advert,
    nd-neighbor-solicit,
    nd-neighbor-advert,
  } accept;

    icmp type {
    echo-request limit rate 10/minute
    destination-unreachable,
    router-advertisement,
    time-exceeded,
    parameter-problem,
  } accept;

  chain filter_synflood {
    ct state != new return;
    set syn_scan {ip saddr limit rate 2/second burst 100 packets} return;
    limit rate 6/minute burst 10 packets log prefix "[NFTABLES SYNFLOOD]: " level debug continue;
    drop;
  }

  chain filter_pingofdeath {
    icmp type != echo-request return;
    set ping_scan {ip saddr limit rate 1/second burst 4 packets} return;
    limit rate 6/minute burst 10 packets log prefix "[NFTABLES PING_OF_DEATH]: " level debug continue;
    drop;
  }

  chain filter_ipspoofing {
    ct state != new return;
    ip saddr 10.0.0.0/8 counter drop;
    ip saddr 172.16.0.0/12 counter drop;
    ip saddr 169.254.0.0/16 counter drop;
    ip saddr 192.0.2.0/24 counter drop;
    ip daddr 255.255.255.255 counter drop;
  }
  
  chain drop_others {
    limit rate 6/minute burst 10 packets log prefix "[NFTABLES SCANED]: " level debug continue;
    drop;
  }
}

##教えて欲しいこと
これにステルススキャン対策を追加したいです。どう書けば良いでしょうか？