diff --git a/Samples/three-interfaces/rules b/Samples/three-interfaces/rules
index 8ca2cc232..8288a3286 100644
--- a/Samples/three-interfaces/rules
+++ b/Samples/three-interfaces/rules
@@ -13,6 +13,9 @@
 #############################################################################################################
 #ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
+#       Don't allow connection pickup from the net
+#
+Invalid(DROP)	net		all
 #
 #	Accept DNS connections from the firewall to the Internet
 #
diff --git a/Samples/two-interfaces/rules b/Samples/two-interfaces/rules
index 4dcec9128..ab6aa9fe0 100644
--- a/Samples/two-interfaces/rules
+++ b/Samples/two-interfaces/rules
@@ -13,6 +13,9 @@
 #############################################################################################################
 #ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
+#       Don't allow connection pickup from the net
+#
+Invalid(DROP)	net		all
 #
 #	Accept DNS connections from the firewall to the network
 #
diff --git a/Samples6/three-interfaces/rules b/Samples6/three-interfaces/rules
index 77cc9ed09..a9b9de846 100644
--- a/Samples6/three-interfaces/rules
+++ b/Samples6/three-interfaces/rules
@@ -13,6 +13,9 @@
 #############################################################################################################
 #ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
+#       Don't allow connection pickup from the net
+#
+Invalid(DROP)	net		all
 #
 #	Accept DNS connections from the firewall to the Internet
 #
diff --git a/Samples6/two-interfaces/rules b/Samples6/two-interfaces/rules
index 75065698e..1afdb16d2 100644
--- a/Samples6/two-interfaces/rules
+++ b/Samples6/two-interfaces/rules
@@ -13,6 +13,9 @@
 #############################################################################################################
 #ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
+#       Don't allow connection pickup from the net
+#
+Invalid(DROP)	net		all
 #
 #	Accept DNS connections from the firewall to the network
 #