Re: iptables and INVALID packet filtering.

So, it is better to use state module instead of conntrack,

when it comes to filter INVALID packets or it does not

matter, which module will be in use? What is your
opinion on this?

I'm wondering why there is so much entries about INVALID

packets in log files. Frankly, after - let say - 6, 7 hour of
computer use, there are about 40-50 logged events. Maybe

more. I don't know if it is something wrong.

I know, that in e.g. iptables v1.4.16.3, state module is obsolete.

But this is just an example;

$ ... INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

WARNING: The state match is obsolete. Use conntrack instead.

This module was available in iptables v1.4.13. Of course,

if I remember correctly.

Best regards Matthew.

Reply to:

Follow-Ups:
- Re: iptables and INVALID packet filtering.
  - From: Pascal Hambourg <pascal@plouf.fr.eu.org>

References:
- iptables and INVALID packet filtering.
  - From: Daniel Curtis <sidetripping@gmail.com>
- Re: iptables and INVALID packet filtering.
  - From: Pascal Hambourg <pascal@plouf.fr.eu.org>
- Re: iptables and INVALID packet filtering.
  - From: Matthew Babcock <MBabcock@AandRSecurity.com>
- Re: iptables and INVALID packet filtering.
  - From: Daniel Curtis <sidetripping@gmail.com>
- Re: iptables and INVALID packet filtering.
  - From: Matthew Babcock <MBabcock@AandRSecurity.com>
- Re: iptables and INVALID packet filtering.
  - From: Daniel Curtis <sidetripping@gmail.com>
- Re: iptables and INVALID packet filtering.
  - From: Matthew Babcock <MBabcock@AandRSecurity.com>