Blocking ports 49147-49151 unexpectedly blocks connection to peers

[BertrandBordage]

Conditions

OS: Debian Bookworm (under VirtualBox)
GlusterFS 10.3 installed from the Debian apt repository.
Unaltered GlusterFS configuration, base-port is commented but properly defaulting to 49152, as can be seen here:

Description

Following step 6 on the Debian installation docs, I wanted to setup nftables (the iptables successor) to drop all incoming traffic except traffic from a whitelist of peer IPs in TCP/UDP on the GlusterFS ports.

I set this (adjust the IPs to be able to reproduce) in /etc/nftables.conf:

#!/usr/sbin/nft -f

flush ruleset

table inet filter {
  chain input {
    type filter hook input priority filter; policy drop;
    iif lo accept
    ip saddr { 192.168.56.102, 192.168.56.103 } meta l4proto { tcp, udp } th dport { 24007, 24008, 49152-50000 } accept
  }
  chain forward {
    type filter hook forward priority filter;
  }
  chain output {
    type filter hook output priority filter;
  }
}

And applied by running /etc/nftables.conf.
But it always blocks connection to peers, even after restarting the glusterd service or rebooting the machine.
It always leads to timeout errors, for example when doing a gluster volume status:

After some trial and errors, I came to the conclusion that allowing the additional range 49147-49151 works reliably:

    ip saddr { 192.168.56.102, 192.168.56.103 } meta l4proto { tcp, udp } th dport { 24007, 24008, 49147-60999 } accept

What could explain this? Maybe some port scan starting slightly before base-port?