which is correct, because I was trying to contact www.bahn.de (213.83.12.10). I think that they have a load balancer who sent me to that ip-address, but as my firewall did not open a connection there it blocks the packages.
It can't be the redirection or load balancing that's causing your problem. IP addresses can't suddenly change in the middle of a TCP connection. If your browser is redirected to a host on a different IP address, it performs a TCP connection to that host, which ensures that your firewall will handle it fine. As was noted, netfilter may be timing out the connection from the state table prematurely, which surprises me, since the TCP timeouts are very long, IIRC. I don't have any other ideas, though. I'd probably sniff the wire and analyse the result with ethereal. Cheers, Tobias