> just put the rule in PVEFW-FORWARD, after > > -A PVEFW-FORWARD -m conntrack --ctstate INVALID -j DROP -A PVEFW- > FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT but that only works if the optimize flag is set (else we do not have that rule)?