Lately, while checking the netfilter logs on an Ubuntu Precise (12.04) running v3.8rc1 (for nouveau testing) I noticed *a lot* of packets being blocked. Most of them carried the ip: 31.13.64.7 .
Whois showed that this was a family member visiting facebook.
Looking on Google only yielded results on how to effectively block facebook (along with same really bad examples btw...).
Some further digging, it seems that netfilter's 'state' module marks facebook packets as 'invalid'.
Initial connections work fine though, the problem can be reproduced most effictively by opening a fb page, like
this one. Then scrolling down and wait for it to load more content. But make sure you wait random moments of time before you do so.
If you add a logfilter to catch these packets, it will trigger.
27-12-2012 16:01 .warning ::: pkt invalid: IN=eth0 OUT= MAC=00:0c:76:1c:dd:c8:00:1b:2f:a9:48:e8:08:00 SRC=31.13.64.7 DST=10.32.32.65 LEN=40 TOS=0x00 PREC=0x00 TTL=250 ID=33435 DF PROTO=TCP SPT=443 DPT=44911 WINDOW=0 RES=0x00 ACK RST URGP=0
27-12-2012 16:01 .warning ::: pkt invalid: IN=eth0 OUT= MAC=00:0c:76:1c:dd:c8:00:1b:2f:a9:48:e8:08:00 SRC=31.13.64.7 DST=10.32.32.65 LEN=40 TOS=0x00 PREC=0x00 TTL=250 ID=4902 DF PROTO=TCP SPT=80 DPT=51042 WINDOW=0 RES=0x00 ACK RST URGP=0
Does someone have any idea what's going on here?
I tripped over this since I used ESTABLISHED,UNTRACKED and NEW to sort packets in the 'filter' table. Everything else like INVALID,RELATED(don't use this) are not relevant whatsoever and are blocked (like it should be..).
Netfilter producing false positives is something new to me...