I have two IPFires in the same environment. One gets about 9x more CTINVALID firewall hits than the other. The one with more CTINVALID hits also is where mobile phones are connected, so I am assuming it is related to the mobile phones. What about mobile phones creates so many DROP_CTINVALIDs?
DROP_CTINVALID is where conntrack has flagged packets up as not belonging to any established connection and has therefore marked the packets as invalid.
It looks to me like mobile phones are mangling up the packet structure and failing to correctly indicate which established connection the packet belongs to.
Either that or the mobile phone OS is trying to inject its own packets into the network, having bypassed the NEWNOTSYN check but that would be like an attack on the network so hopefully they are not doing that.
Unfortunately mobile phones do seem to do quite a few things their own way that mean things don’t work as we would expect them to.
3 Likes