Re: Firewall shows ports being used in sqeuence

In article <pan.2005.12.05.14.56.32.504696@wrench.yi.org>,
 "Jeffrey F. Bloss" <jbloss@tampabay.mapson.rr.com> wrote:

> Alix wrote:
>
> > The monitor feature in the FILSECLAB firewall shows that simply to do
> > their work, the browser and newsreader are accepting connections which
> > come into my local ports numbered 1030, 1031, 1032, 1033, etc. The
> > sequence is not precisely followed but more or less that is what is
> > happening.
>
> Are you absolutely sure they're *accepting* connections on those ports?
>
> I'd wager they're using those ports for outgoing connections, to remote
> ports that look more normal. 80 and 119 for typical HTTP and NNTP traffic.

Usually the source ports in outgoing connections are much higher, like
32000+. 1030, 1031, etc. are pretty unlikely to be used as ephemeral
source ports.

-- 
Barry Margolin, barmar@alum.mit.edu
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***