diff --git a/config/rootfiles/oldcore/164/update.sh b/config/rootfiles/oldcore/164/update.sh
index e6847359c..05f2a03e4 100644
--- a/config/rootfiles/oldcore/164/update.sh
+++ b/config/rootfiles/oldcore/164/update.sh
@@ -107,6 +107,9 @@ fi
 if [ "$(grep "^DROPSPOOFEDMARTIAN" /var/ipfire/optionsfw/settings)" == "" ]; then
 	echo "DROPSPOOFEDMARTIAN=on" >> /var/ipfire/optionsfw/settings
 fi
+if [ "$(grep "^LOGDROPCTINVALID" /var/ipfire/optionsfw/settings)" == "" ]; then
+	echo "LOGDROPCTINVALID=on" >> /var/ipfire/optionsfw/settings
+fi
 
 # Apply sysctl changes
 /etc/init.d/sysctl start
diff --git a/html/cgi-bin/optionsfw.cgi b/html/cgi-bin/optionsfw.cgi
index 481d5bdbd..5611b71b7 100644
--- a/html/cgi-bin/optionsfw.cgi
+++ b/html/cgi-bin/optionsfw.cgi
@@ -2,7 +2,7 @@
 ###############################################################################
 #                                                                             #
 # IPFire.org - A linux based firewall                                         #
-# Copyright (C) 2014-2021  IPFire Team  <info@ipfire.org>                     #
+# Copyright (C) 2007-2022  IPFire Team  <info@ipfire.org>                     #
 #                                                                             #
 # This program is free software: you can redistribute it and/or modify        #
 # it under the terms of the GNU General Public License as published by        #
@@ -116,6 +116,9 @@ $checked{'DROPSPOOFEDMARTIAN'}{$settings{'DROPSPOOFEDMARTIAN'}} = "checked='chec
 $checked{'DROPHOSTILE'}{'off'} = '';
 $checked{'DROPHOSTILE'}{'on'} = '';
 $checked{'DROPHOSTILE'}{$settings{'DROPHOSTILE'}} = "checked='checked'";
+$checked{'LOGDROPCTINVALID'}{'off'} = '';
+$checked{'LOGDROPCTINVALID'}{'on'} = '';
+$checked{'LOGDROPCTINVALID'}{$settings{'LOGDROPCTINVALID'}} = "checked='checked'";
 $checked{'DROPPROXY'}{'off'} = '';
 $checked{'DROPPROXY'}{'on'} = '';
 $checked{'DROPPROXY'}{$settings{'DROPPROXY'}} = "checked='checked'";
@@ -211,6 +214,13 @@ END
 			<input type='radio' name='DROPNEWNOTSYN' value='off' $checked{'DROPNEWNOTSYN'}{'off'} /> $Lang::tr{'off'}
 		</td>
 	</tr>
+	<tr>
+		<td align='left' width='60%'>$Lang::tr{'log dropped conntrack invalids'}</td>
+		<td align='left'>
+			$Lang::tr{'on'} <input type='radio' name='LOGDROPCTINVALID' value='on' $checked{'LOGDROPCTINVALID'}{'on'} />/
+			<input type='radio' name='LOGDROPCTINVALID' value='off' $checked{'LOGDROPCTINVALID'}{'off'} /> $Lang::tr{'off'}
+		</td>
+	</tr>
 	<tr>
 		<td align='left' width='60%'>$Lang::tr{'drop input'}</td>
 		<td align='left'>
diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl
index 7a4b30ad5..a9b4dadd8 100644
--- a/langs/de/cgi-bin/de.pl
+++ b/langs/de/cgi-bin/de.pl
@@ -1603,6 +1603,7 @@
 'locationblock enable feature' => 'Location-basierte Filterung aktivieren:',
 'locationblock flag' => 'Flagge',
 'log' => 'Protokoll',
+'log dropped conntrack invalids' => 'Verworfene, von der Verbindungsverfolgung als INVALID eingestufte Pakete protokollieren',
 'log enabled' => 'Protokoll aktiviert',
 'log level' => 'Protokollierungsniveau',
 'log lines per page' => 'Zeilen pro Seite',
diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
index 644eb0574..ed0d756f5 100644
--- a/langs/en/cgi-bin/en.pl
+++ b/langs/en/cgi-bin/en.pl
@@ -1651,6 +1651,7 @@
 'locationblock enable feature' => 'Enable Location based blocking:',
 'locationblock flag' => 'Flag',
 'log' => 'Log',
+'log dropped conntrack invalids' => 'Log dropped packets classified as INVALID by connection tracking',
 'log enabled' => 'Log Enabled',
 'log level' => 'Log Level',
 'log lines per page' => 'Lines per page',
diff --git a/lfs/configroot b/lfs/configroot
index b836767c1..111ab6787 100644
--- a/lfs/configroot
+++ b/lfs/configroot
@@ -131,6 +131,7 @@ $(TARGET) :
 	echo  "DROPWIRELESSFORWARD=on"	>> $(CONFIG_ROOT)/optionsfw/settings
 	echo  "DROPSPOOFEDMARTIAN=on"	>> $(CONFIG_ROOT)/optionsfw/settings
 	echo  "DROPHOSTILE=on"		>> $(CONFIG_ROOT)/optionsfw/settings
+	echo  "LOGDROPCTINVALID=on"	>> $(CONFIG_ROOT)/optionsfw/settings
 	echo  "POLICY=MODE2"		>> $(CONFIG_ROOT)/firewall/settings
 	echo  "POLICY1=MODE2"		>> $(CONFIG_ROOT)/firewall/settings
 	echo  "USE_ISP_NAMESERVERS=on"  >> $(CONFIG_ROOT)/dns/settings
diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
index 2ae6157aa..14f93d9c7 100644
--- a/src/initscripts/system/firewall
+++ b/src/initscripts/system/firewall
@@ -121,9 +121,15 @@ iptables_init() {
 	iptables -A FORWARD -p tcp -j BADTCP
 
 	# Connection tracking chains
+	iptables -N CTINVALID
+	if [ "$LOGDROPCTINVALID" == "on" ]; then
+		iptables -A CTINVALID  -m limit --limit 10/second -j LOG  --log-prefix "DROP_CTINVALID "
+	fi
+	iptables -A CTINVALID  -j DROP -m comment --comment "DROP_CTINVALID"
+
 	iptables -N CONNTRACK
 	iptables -A CONNTRACK -m conntrack --ctstate ESTABLISHED -j ACCEPT
-	iptables -A CONNTRACK -m conntrack --ctstate INVALID -j LOG_DROP
+	iptables -A CONNTRACK -m conntrack --ctstate INVALID -j CTINVALID
 	iptables -A CONNTRACK -p icmp -m conntrack --ctstate RELATED -j ACCEPT
 
 	# Restore any connection marks