diff --git a/nftables/nftables-attestation.conf b/nftables/nftables-attestation.conf
index 58cc329..4e5374b 100644
--- a/nftables/nftables-attestation.conf
+++ b/nftables/nftables-attestation.conf
@@ -47,7 +47,7 @@ table inet filter {
         policy drop
 
         tcp dport { 22, 80, 443 } goto input-tcp-service
-        ct state vmap { established : accept, related : accept, new : drop, untracked: accept }
+        ct state vmap { invalid : drop, established : accept, related : accept, new : drop, untracked: accept }
     }
 
     chain input-tcp-service {
diff --git a/nftables/nftables-discuss.conf b/nftables/nftables-discuss.conf
index 90f8632..0809af7 100644
--- a/nftables/nftables-discuss.conf
+++ b/nftables/nftables-discuss.conf
@@ -47,7 +47,7 @@ table inet filter {
         policy drop
 
         tcp dport { 22, 80, 443 } goto input-tcp-service
-        ct state vmap { established : accept, related : accept, new : drop, untracked: accept }
+        ct state vmap { invalid : drop, established : accept, related : accept, new : drop, untracked: accept }
     }
 
     chain input-tcp-service {
diff --git a/nftables/nftables-mail.conf b/nftables/nftables-mail.conf
index e9d6819..9a75416 100644
--- a/nftables/nftables-mail.conf
+++ b/nftables/nftables-mail.conf
@@ -59,7 +59,7 @@ table inet filter {
         policy drop
 
         tcp dport { 22, 25, 80, 443, 465, 993 } goto input-tcp-service
-        ct state vmap { established : accept, related : accept, new : drop, untracked: accept }
+        ct state vmap { invalid : drop, established : accept, related : accept, new : drop, untracked: accept }
     }
 
     chain input-tcp-service {
diff --git a/nftables/nftables-matrix.conf b/nftables/nftables-matrix.conf
index 82a2a98..57dfcd2 100644
--- a/nftables/nftables-matrix.conf
+++ b/nftables/nftables-matrix.conf
@@ -47,7 +47,7 @@ table inet filter {
         policy drop
 
         tcp dport { 22, 80, 443 } goto input-tcp-service
-        ct state vmap { established : accept, related : accept, new : drop, untracked: accept }
+        ct state vmap { invalid : drop, established : accept, related : accept, new : drop, untracked: accept }
     }
 
     chain input-tcp-service {
diff --git a/nftables/nftables-network.conf b/nftables/nftables-network.conf
index 7484cfd..f6ca8fe 100644
--- a/nftables/nftables-network.conf
+++ b/nftables/nftables-network.conf
@@ -56,7 +56,7 @@ table inet filter {
         policy drop
 
         tcp dport { 22, 80, 443, 7275 } goto input-tcp-service
-        ct state vmap { established : accept, related : accept, new : drop, untracked: accept }
+        ct state vmap { invalid : drop, established : accept, related : accept, new : drop, untracked: accept }
     }
 
     chain input-tcp-service {
diff --git a/nftables/nftables-ns1.conf b/nftables/nftables-ns1.conf
index 35cad87..ec57b59 100644
--- a/nftables/nftables-ns1.conf
+++ b/nftables/nftables-ns1.conf
@@ -49,7 +49,7 @@ table inet filter {
         policy drop
 
         tcp dport { 22, 53, 80, 443, 853 } goto input-tcp-service
-        ct state vmap { established : accept, related : accept, new : drop, untracked: accept }
+        ct state vmap { invalid : drop, established : accept, related : accept, new : drop, untracked: accept }
     }
 
     chain input-tcp-service {
diff --git a/nftables/nftables-ns2.conf b/nftables/nftables-ns2.conf
index e1fb0b2..42a017a 100644
--- a/nftables/nftables-ns2.conf
+++ b/nftables/nftables-ns2.conf
@@ -61,7 +61,7 @@ table inet filter {
         policy drop
 
         tcp dport { 22, 53, 80, 443, 853 } goto input-tcp-service
-        ct state vmap { established : accept, related : accept, new : drop, untracked: accept }
+        ct state vmap { invalid : drop, established : accept, related : accept, new : drop, untracked: accept }
     }
 
     chain input-tcp-service {
diff --git a/nftables/nftables-social.conf b/nftables/nftables-social.conf
index 8ce2b6a..3b46e0f 100644
--- a/nftables/nftables-social.conf
+++ b/nftables/nftables-social.conf
@@ -47,7 +47,7 @@ table inet filter {
         policy drop
 
         tcp dport { 22, 80, 443 } goto input-tcp-service
-        ct state vmap { established : accept, related : accept, new : drop, untracked: accept }
+        ct state vmap { invalid : drop, established : accept, related : accept, new : drop, untracked: accept }
     }
 
     chain input-tcp-service {
diff --git a/nftables/nftables-web.conf b/nftables/nftables-web.conf
index e1dc5ed..e6f8471 100644
--- a/nftables/nftables-web.conf
+++ b/nftables/nftables-web.conf
@@ -57,7 +57,7 @@ table inet filter {
         policy drop
 
         tcp dport { 22, 80, 443 } goto input-tcp-service
-        ct state vmap { established : accept, related : accept, new : drop, untracked: accept }
+        ct state vmap { invalid : drop, established : accept, related : accept, new : drop, untracked: accept }
     }
 
     chain input-tcp-service {