In MikroTik RouterOS, “invalid connections” refer to data packets that cannot be identified as part of an existing, valid, or well-formed connection according to the rules set in the firewall.

These connections can be the result of various situations, such as late response packets from an already closed connection, port scanning attacks, or attempts to connect to unavailable services (closed ports), among others.

The MikroTik RouterOS firewall uses several rules to manage and classify network traffic, and one of these classifications is precisely “invalid connection”. Identifying and discarding invalid connections is an important security practice because it helps:

1. Reduce Exposure to Attacks: By discarding unsolicited or malformed traffic, you reduce the attack surface that malicious actors can exploit.
2. Improve performance: Eliminating unnecessary or potentially dangerous packet processing can help improve router and overall network performance.
3. Maintain Network Integrity: Ensuring that only valid and expected traffic is processed helps maintain network integrity and reliability.

In RouterOS, firewall rules to handle invalid connections are typically configured in the chain input o forward with an action of drop, thus discarding packets identified as part of an invalid connection. A common example of a rule to detect and discard these types of connections is:

/ip firewall filter add chain=input connection-state=invalid action=drop

This rule effectively blocks and discards any data packets that are identified as part of an invalid connection, before they can reach internal services or be forwarded to other parts of the network.

Proper handling of invalid connections is only one part of a complete network security strategy. However, it is a crucial component in protecting network resources against unauthorized access and other types of malicious attacks.