Unrelated outbound ACK FIN packets found with firewall logs

Checking up my firewall log, I’ve found something peculiar. Only for ports 80 and 443, which are http and https respectively, some ACK-FIN packets are logged that are apparently not considered part of the RELATED, ESTABLISHED chain rule.

Example of the firewall entry (:

Oct 15 17:37:34 localhost kernel: SFW2-OUT-ERROR IN= OUT=wlan0 SRC=192.168.1.10 DST=130.57.4.16 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=60812 DF PROTO=TCP SPT=41664 DPT=80 WINDOW=7029 RES=0x00 ACK FIN URGP=0

The firewall outbound chain rule (default on suse 11.1, but I’ve noticed the same on 11.0, so it’s not beta problem):


-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -m limit --limit 3/min -j LOG --log-prefix "SFW2-OUT-ERROR " --log-tcp-options --log-ip-options

Running tcpdump for a while and trying to match firewall log timestamps with tcpdump timestamps, it appears the packets reference traffic about 10 minutes older.

Also, on another system (Debian), which is a server, I’ve noticed the same for inbound traffic: ACK-FIN packets that are not part of RELATED, ESTABLISHED chain. Associating those timestamps with webserver’s access logs, I found that they are logged about 10-15 minutes later than last (apparently regular http) request from that ip.

Two things are peculiar about this:

  1. The log shows outbound packet, so it is not something delayed by a random route(r) on the net.
  2. It happens only for http-related ports, regardless if I use Firefox or Konqueror (first I assumed FF was tampering with the tcp stack), and for traffic to random sites.

I’ve spoken to someone on #iptables chan on irc and they suggest it could be a kernel bug, and that I should send the logs to appropriate mailing list.

Well, if anyone can tell me where to send those logs I’ll be happy to. Also, does anyone else see the same in their firewall logs? Am I totally misinterpreting this?