diff --git a/sbin/firehol b/sbin/firehol
index 7225e51..36187e8 100755
--- a/sbin/firehol
+++ b/sbin/firehol
@@ -409,6 +409,9 @@ FIREHOL_DROP_INVALID=1
 # Default: 1
 FIREHOL_LOG_DROP_INVALID=1
 
+# the action to be performed when we drop INVALID packets
+FIREHOL_DROP_INVALID_ACTION="DROP"
+
 # If set to 1, FireHOL will silently drop orphan TCP packets with ACK,FIN set.
 # In modern kernels, the connection tracker detects closed sockets
 # and removes them from memory before receiving the FIN,ACK from the remote
@@ -5640,9 +5643,9 @@ protection() {
 			invalid)
 				if [ "${FIREHOL_DROP_INVALID}" -eq 0 ]
 				then
-					set_work_function "Rules for dropping invalid packets on '${prface}' for ${work_cmd} '${work_name}'"
+					set_work_function "Rules to ${FIREHOL_DROP_INVALID_ACTION} invalid packets on '${prface}' for ${work_cmd} '${work_name}'"
 					
-					rule in chain "${in}_${work_name}" state INVALID action drop || return 1
+					rule in chain "${in}_${work_name}" state INVALID action ${FIREHOL_DROP_INVALID_ACTION} || return 1
 				fi
 				;;
 			
@@ -11838,9 +11841,9 @@ firewall_filtering_policy_common_late() {
 
 		if [ ${FIREHOL_LOG_DROP_INVALID} -eq 1 ]
 		then
-			rule table filter chain ${iptables_chain} state INVALID action DROP loglimit "BLOCKED INVALID ${iptables_chain}"
+			rule table filter chain ${iptables_chain} state INVALID action ${FIREHOL_DROP_INVALID_ACTION} loglimit "${FIREHOL_DROP_INVALID_ACTION} INVALID ${iptables_chain}"
 		else
-			${iptables_cmd} -t filter -A ${iptables_chain} -m conntrack --ctstate INVALID -j DROP
+			rule table filter chain ${iptables_chain} state INVALID action ${FIREHOL_DROP_INVALID_ACTION}
 		fi
 	fi