What is considered an invalid I have notice this drop invalid on my firewall rules that had a a high hit count. So I decided to log it. This is what I got:

02:18:43 firewall,info INVALID DROP forward: in:D1S1 out:ether1, src-mac 00:00:CC:12:0
6:f5, proto TCP (ACK,FIN), 192.168.165.5:1790->207.141.27.145:80, len 20

There are a ton of these. I do believe it is due to my uTorrents that are on my network. The question is why does it appear as an invalid connection. Is it due to the length of the packet? What can be done to make this better? I do not know if it is a huge problem but I see a lot of these numbers incremented on my invalid drops and if they are invalid connections of typical traffic then this could cause a problem on the overall network.

Any advice or comments are much appreciated on this.

-Sincerely,
DesertAdmin

maybe try to increase connection tracking timeouts? I think, all packets belonging to unknown connections and not initiating new connections are invalid

In my case and opinion Clients re-associating causes client IP address changes, causing these ack packets you are seeing. p2p activity increases these. Currently I have decided to leave them alone since they seem to be dropped and later remote hosts stop transmitting due to timeouts. Another approach would be to reply with ICMP host unreachable.

Is this correct?

Connection-state=invalid is when router receives packet, that is not connection-state=new, and don't have any information about it in connection tracking table.


In other words you receive packet that belong to connection that you don't know anything about.

SO is it always bad to block invalids? Could invalid packets possibly be valid or it doesn't matter it is recommended to drop all invalids?
I just see such a high volume of invalids I wonder if that is causing a lotof problems on my networks or perhaps they are all just torrent junk and it doesn't matter.

I say this because we have a couple customers that show odd problems to particular websites and even various video games do not work because I have each wireless sector behind a masquerade NAT. I just figured that it was because they were being NAT'd that they were having problems now I think it may be due to invalid packets.

Any comments are most welcomed.

-Cheers,
DesertAdmin

It could be that some are actually valid, and some arent. The connection-tracking timeouts will determine this. For instance, if you change your SYN timeout way down, make a request to a website, and they take longer than X seconds to respond you will drop them from the connection table, however, they might still respond after you've closed state and that packet is dropped. In the case of UDP timeouts, if you make DNS queries, and the response takes too long, it will not be a valid connection anymore (even though its UDP).

You might want to examine that traffic and see if it's related to something you can pinpoint. If you've changed your connection-tracking timeouts maybe post them so we can review. If you want to post some log entries we can help review as well.

I see LOTS of ACK,FIN and ACK,RST packets like this ... the connection was properly closed but one side didnt get the ACK so it sends it again. It seems like 3.x vs 2.9 these are a lot worse, not quite sure why myself.