Recently I've started to see numerous entries where Facebook has been blocked attempting to connect in;
Code:
From 66.220.145.39 - 39 packets to tcp(49239,49240,49339,49344,49398,49399,49490,49493,49521,49540,49558,49566,49587,49590,49612,55723)
Source port is always 80 and whilst the client concerned is a Facebook user, it seems odd that contrack would drop these if they really were related/established to the active session.
It's not the first load of Facebook weirdness I've seen either. A while ago our DNS servers were regularly being bombed by Facebook effectively firing off about 20 attempts in for every one out - again caught and dropped by iptables.
In the later DNS case I'm guessing some kind of naughtiness relating to geolocation, but I can't figure out what they are trying to do with the port 80 reverse connections? I doubt that a packet capture would help much, unless I whitelist Facebook IP's, and I don't really want to do that as I can't say they are a company I would trust.
EDIT
It's just crossed my mind that it could be dodgy load balancing with direct server return.