I'm seeing some strange behavior on my firewall, which is running Fedora 8's version of 2.6.26. Every so often a packet with a private source address is sent out the public interface unchanged, when it should be dropped.
This happens when internal hosts are slow to close their end of a TCP connection. For example:
Internal host A (using a private address) initiates a TCP
connection to an external server B.
Data is sent back and forth.
External host B sends a FIN and host A responds with ACK.
Several minutes later (after the tracking for this connection
has expired), host A sends a FIN to host B. This packet
goes through the firewall unchanged and is sent out the
public interface with the private source address intact.
Now I would expect that such packets would be dropped, because they don't belong to an existing connection and they can't be the start of a new connection. The fact that this doesn't happen indicates there is a bug in the netfilter code somewhere.