Firewall question

I use a regular iptables stateful firewall. Output ports 80, 443, 53 are open and input ports are open only for established/related packets.

Here’s the strange part. The firewall drops incoming ACK FIN packets from source port 443 to my local port NNNNN. Now, that’s a normal behavior to drop any incoming packets that are not part of a connection I request/establish, but ACK FIN is an acknowledgement to a FIN packet that I (hopefully and supposedly) send out, so it should always get through?

Could this be an attack, or is something misconfigured? The ip the packets come from belongs to, for example. It may be some sort of a bug too?

UPDATE: I do have a hotspot turned on sometimes, which just gets forwarded through iptables because there are the same stateful firewalls on the individual hotspot devices.

Added firewall, iptables

I’m still getting a ton of these.

It can also be that the firewall status considered the connection to be closed after sending the FIN packages and before receiving the FIN-ACK package. Or the FIN_ACK could be a duplicate.

I had to file a bug because this ACK thing crashed my USB hub or something.
218519 – USB hangs from ACK frame

Ok, I’m also seeing these ACK-PSH-FIN packets dropped by my iptables, which are illegal, according to this source: and are part of a DDoS attack and can even mask more complex attacks.

Potentially, the solution is to change conntrack timeout value with something like echo 3000 > /proc/sys/net/netfilter/nf_conntrack_tcp_timeout_fin_wait.The default value is 120, which seems pretty small. Maybe servers deprioritize FIN ACK packets, so we get them with delay. Is this something Fedora devs need to change in default settings?