Ok so how can we send reset reply to invalid tcp packets? For ex in my firewall i have something like this:
forward accept established and related
forward drop invalid
ok but i see in logs a lot of packets marked as invalid and beeing droped by last rule, even my local trafic to different sites http/https so this is not a particular case of invalid packets since even some of my packets are ‘marked’ as invalid
forward reject invalid reject-with tcp-reset?
I would investigate however why connection started from inside generate invalid connections as that could point to defective hardware.
I wouldn’t send any kind of tcp-reset as that could lead to being more vulnerable to DDoS, so if you use that as a band aid for your LAN, make sure you only reject with tcp-reset connections from the LAN.