port 80 is just the standrad http port - so i suppose this is to be expected whenever you browse the web

Not unless the browser is attempting to access my IP address on port 80, or attempting to access the router itself. All other http traffic is directed to the internet, and has no affect on the router itself. This only occurs on starting Firefox, or periodically if firefox is running. So it is not expected. There are trojans that attempt to access a routers web page configuration.

http://kb.mozillazine.org/Connections_established_on_startup_-_Firefox

May give some ideas.

Your firewall is dropping a SYN packet or is forbidding an HTTP request? If you refuse to make a connection at all, you might never gather enough information to identify the intent of the communication.

Thanks for the link. I have been trying to disable various things, but the issue does not happen regularly, so it will take some time. I will continue testing. Thanks for the link. I'm now monitoring with wireshark. Clearly the browser is sending a connection request to my internet IP address on port 80 and the firewall is rejecting it. Interesting that it is sending to the external IP and not the Gateway/router IP.

Thanks for the suggestion of dropped SYN requests, which prompted me to setup a wireshark monitoring. It is definitely not a dropped SYN packet, rather the browser is sending a connection request to my external IP address on port 80 and the firewall is rejecting it with RST, ACK.

The first time it occurs is after a connection to secure.informaction.com. At the end of that conversation I receive "Encrypted Alert" sent to my browser (certificate problem?), followed by a disconnect from secure.informaction.com, then Firefox attempts to access my external IP on port 80 several times. Why my external IP? I'm not sure what Firefox is attempting to do.

I have NoScript running. Disabling NoScript eliminates the problem. Seems it is accessing secure.informaction.com and having a problem. Still not exactly sure what is happening.

I think the first packet in a TCP connection request is a SYN packet, so if you're sending RST immediately after getting that packet, you will never get to log the HTTP request that would be sent after the connection is set up, which would be useful to get. Perhaps a browser proxy such as Fiddler would allow you to capture that?

I associate the Informaction name with the author of the NoScript and FlashGot extensions. If you disable those extensions and restart Firefox, do you get the same connection attempt?

Edit: Our posts crossed, so you can ignore the second paragraph.

Final note: This MozillaZine Post indicates that noscript uses secure.informaction.com to determine the WAN IP address, and that behavior can be disabled.

Thanks for your respones, and yes, the SYN packet is a request to connect, and the RST/ACK (reject) is the correct response from my router to a connect request (loc2fw) on port 80.

I initially investigated this problem because there might be some malicious software that attempts to access the config page on the router and redirect traffic. I'm assuming that the ABE feature of NoScript is checking the boundary?