I see that protection rules are applied in such a way that INVALID packets are dropped even before them being identified as bad-packets (xmas, NULL,etc).
Shouldn't the bad-packets being tracked before?
Therefore, INVALID chain should appear at the bottom.
i.e. after "fragments new-tcp-w/o-syn icmp-floods syn-floods malformed-xmas malformed-null malformed-bad"
Please correct me if I'm wrong?
With the current default firehol settings, I see no hits on chains for malformed-* packets.
Thanks in advance.