OK, I think I have success now. A cautionary lesson for those jumping to blame Squid: just because you can avoid the problem when you cut out Squid, it doesn't mean Squid is necessarily to blame. I finally noticed that all the sites which were giving problems had an IP address starting with '77' which whilst a top year for music, was a bad number for getting TCP connections past the first three packets. I use a tweaked version of Firestarter to configure iptables and part of the default Firestarter setup is to reject what it considers non-routable packets, 192.168.0.0/24, 10.0.0.0/8, etc. For some reason 77.0.0.0/8 was in listed in the file /etc/firestarter/non-routables. The reason why it seemed that there was two distinct problems affecting wiki-squid-cache.org and uk.yahoo.com/mail was that wiki.squid-cache.org seems to host most all its content on the one IP address, whereas Yahoo mail grabs all manner of boring adverts, graphics, tracking bugs, etc, from various different sources, some of which reside on servers within 77.0.0.0/8, eg. mail.yimg.com. By cutting 77.0.0.0 from /etc/firestarter/non-routables all is now well. Had I looked at /var/log/messages a bit harder I might have spotted this earlier. Mind the fact that the default Firestarter configuration only drops the packet after the 3-way handshake meant that it took a while for things to show up as the Yahoo page had to go through a fair few timeouts before it got through all the links to content residing on servers under 77.0.0.0/8. I should likely let the Firestarter people know about this. Anyhow, thanks for everybodys' help and hope this points others in the right direction. Callum.
