Lot of packets being dropped due to INVALID connection

I’ve setup a firewall (ROS 3.0 rc10) and I can see a lot of packets being dropped that appears to belong to connections that I consider being “legal” i.e. connections to/from non-blocked ports, initiated by a user on the LAN side of the router.

For instance, if I open a newspaper webpage, I can see in Torch a number of connections are established as the page is being loaded.
However, shortly thereafter I can see that a burst of packets are rejected in the firewall due to Connection State=Invalid.

From previous discussions I understand that this is due to rather strict definition of connection “lifetime” in ROS.

As so many packets are lost because they are considered invalid, doesn’t this indicate that ROS requirements are too strict?
What kind of information is it that is sent from a webserver too late to be considered valid, and won’t this cause vital information to be lost?

I don’t have the knowledge nor experience to conclude, I’m just asking questions, and I would be thankful if somebody could shed some light on this.
I find it strange that perfectly “legal” traffic shall be blocked.

Typical example:
You opened a new homepage and now simple reading the content - so, all connections are long finished, but browser still sends out (ACK,FIN) packages just in case some connections are not closed.

Those (ACK,FIN) packets (and any other packets) if they are invalid will be discarded at the destination one way or another - so there are absolutely no problems to drop them before on the router.

Connection lifetime is not the case in here, its more about state - what kind of packets (flag combination) this connection is waiting for. And if the sequence is wrong them mark those packets as invalid.

so why would 3.0 block more packets than 2.9 with the same ruleset? Is it that 2.9 wasn’t catching out of connection packets properly? Is it that 3.0 has a shorter ttl on those packets ?