The overall problem is that we're having lots of problems with web access in or out of the office. There was a problem with sporadic packet loss with the ISP which has now been corrected, but still the web problem persists.
In investigating, I am seeing lots of messages like this in my system logs:
|Connection Refused - Policy violation||IN=eth0 OUT=eth1 SRC=192.168.231.9 DST=220.127.116.11 DMAC=f8:72:ea:94:e0:14 SMAC=f8:2f:a8:d9:5f:a9 LEN=40 TOS=0x00 PREC=0x00 TTL=127 ID=6071 DF PROTO=TCP SPT=59051 DPT=80 WINDOW=0 RES=0x00 ACK RST URGP=0|
However, I am using the default firewall rules with only additions to let SSH, HTTP, and HTTPS into a few machines on the LAN. The above source address is not one of these machines. The hosts affected on the LAN side do not seem consistent. The destination addresses that experience this do seem to be consistent based on a relatively small sample of log file, but being a small sample, this may be spurious info.
This doesn't seem right - the rules should allow any outbound connections.
Admittedly, most of the traffic in/out is HTTP or HTTPS, but I haven't seen this affect any other service than these.
I have made sure that the content filtering is disabled, I've played with turning SPI on/off with no change.
The above is about the only visible anomaly I've seen, and I'm running out of ideas...
Any help or suggestions welcome, thanks!