Firewall connection-state=invalid

otgooneo · April 12, 2011, 4:44am

Hello, what exactly means /ip firewall filter connection-state=invalid? Please share the link, if any where good explanation about it. Thank you

blake · April 12, 2011, 4:59am

[Connection-state] interprets the connection tracking analysis data for a particular packet:
established - a packet which belongs to an existing connection
invalid - a packet which could not be identified for some reason
new - a packet which begins a new connection
related - a packet which is related to, but not part of an existing connection, such as ICMP errors or a packet which begins FTP data connection

Look for connection-state under Properties at the link below.

http://wiki.mikrotik.com/wiki/Manual:IP/Firewall/Filter#Properties

otgooneo · April 12, 2011, 7:48am

Hi blake

Yes I have seen it. But what exactly means that “for some reasons”? Do you have examples of those reasons.

mrz · April 12, 2011, 8:29am

If there are no connection tracking entry for source/destination, and packet is not “new” (syn for TCP) then it is considered invalid.

otgooneo · May 3, 2011, 6:48am

Okay. Thank you MRZ

eugenevdm · June 28, 2013, 11:00am

Is it always safe to drop these?

Why would this happen?

We seem to find it a lot with users who are using peer to peer.