Recently I've started to see numerous entries where Facebook has been blocked attempting to connect in;

Source port is always 80 and whilst the client concerned is a Facebook user, it seems odd that contrack would drop these if they really were related/established to the active session.

It's not the first load of Facebook weirdness I've seen either. A while ago our DNS servers were regularly being bombed by Facebook effectively firing off about 20 attempts in for every one out - again caught and dropped by iptables.

In the later DNS case I'm guessing some kind of naughtiness relating to geolocation, but I can't figure out what they are trying to do with the port 80 reverse connections? I doubt that a packet capture would help much, unless I whitelist Facebook IP's, and I don't really want to do that as I can't say they are a company I would trust.

EDIT
It's just crossed my mind that it could be dodgy load balancing with direct server return.

Well it certainly looks like return traffic of some form, so you're thoughts about load balancing sound like a very good direction to explore. Some form of asymmetry somewhere local is usually a good bet for this.

Personally I would be looking at a capture, and trying to find the opening of the connection, maybe through a different interface / device. But then I try to solve *EVERYTHING* with a packet capture.w Routing issue? Packet capture. Car won't start? Packet capture. Greek financial crisis? Packet capture.

That's why it's all Greek to me ;->

Packet Capture it is then.....

Thanks Chris.