Thanks for your comments and questions, everyone - they got me onto a
different train of thought which quickly led me to a resolution - I'm in
your debt. :)
The traffic was indeed response packets to connections made from systems
on my lan. It seems that I put in a rule on my netfilter box, Friday,
that allowed out some traffic that had been bottled up, just waiting to
get to the internet. This traffic turned out to be windows servers
looking for updates from microsoft. The firewall did let the return
packets back, but logged them as if it hadn't. The log rule was supposed
to log anything that was about to hit the default chain policy of drop,
but the rule I added Friday got added after the logging rule, instead of
before it. So, it was logged, then accepted.
Mystery solved.
Now, if I were a networking guy, instead of a sysadmin, or at least one
with more networking knowledge, I'd've figured this out this morning,
and saved myself a day's wild goose chase, and the additional gray
hairs. Sigh.
Again, thanks.
-ste
