Hi Steven,
> Unfortunately, you've needed to obscure the actual ip address (I understand) but I can't match the 'customerip' and 'webserverip' to the ${variables} above because I don't know the actual values for any of them.
Well, the customerip is from some unknown Internet user. So it's an
external IP, and its connection comes in via $INET_IFACE.
The webserverip is in my DMZ, so it matches $DMZ_RANGE or $DMZ_WEBSERVER.
> Try to walk through the rules in your forward chain using the ip addresses you've captured and identify the rule you believe should allow these ack packets to go out.
Well, it's actually the ACK packets that should come in, and the rule
that must match them is the ESTABLISHED,RELATED rule. And it actually
does match for more than 3,000 connections a day. But, for 200 or so
of them, this odd behavior occurs.
Your next e-mail may have shed some light. I'll comment on it.
Regards.
