Re: Firewall shows ports being used in sqeuence

Re: Firewall shows ports being used in sqeuence
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 Networking Firewalls    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
Re: Firewall shows ports being used in sqeuence Jeffrey F. Bloss 12-05-2005
Posted by Jeffrey F. Bloss on December 5, 2005, 9:57 am
If you were  Registered and logged in, you could reply and use other advanced thread options
Alix wrote:

> The monitor feature in the FILSECLAB firewall shows that simply to do
> their work, the browser and newsreader are accepting connections which
> come into my local ports numbered 1030, 1031, 1032, 1033, etc. The
> sequence is not precisely followed but more or less that is what is
> happening.

Are you absolutely sure they're *accepting* connections on those ports?

I'd wager they're using those ports for outgoing connections, to remote
ports that look more normal. 80 and 119 for typical HTTP and NNTP traffic.

Internet related software using an arbitrary local port to establish
outgoing connections is expected and necessary. And yes, they generally
establish multiple connections using more or less sequential port numbers.
Especially web browsers. Mine is configured to make as many as 64 at a
time, although I've never seen it actually do that. News readers typically
don't make more than 3 or 4 at a time, as NNTP servers won't allow it.

--
_?_ Outside of a dog, a book is a man's best friend.
(@ @) Inside of a dog, it's too dark to read.
-oOO-(_)--OOo-------------------------------[ Groucho Marx ]--
grok! Registered Linux user #402208


Posted by Donnie on December 5, 2005, 7:15 pm
If you were  Registered and logged in, you could reply and use other advanced thread options

> Are you absolutely sure they're *accepting* connections on those ports?
>
> I'd wager they're using those ports for outgoing connections, to remote
> ports that look more normal. 80 and 119 for typical HTTP and NNTP traffic.
>
#################################
Correct. Both Unix and Windows use those ports as source ports. That's what
is seen in the Local Address column on a netstat -an oputput. The Foreign
Address column will have what you term as normal ports otherwise known as
destination ports. That column is the important one when looking for
unwanted connections.
donnie



Posted by Barry Margolin on December 5, 2005, 9:23 pm
If you were  Registered and logged in, you could reply and use other advanced thread options

> Alix wrote:
>
> > The monitor feature in the FILSECLAB firewall shows that simply to do
> > their work, the browser and newsreader are accepting connections which
> > come into my local ports numbered 1030, 1031, 1032, 1033, etc. The
> > sequence is not precisely followed but more or less that is what is
> > happening.
>
> Are you absolutely sure they're *accepting* connections on those ports?
>
> I'd wager they're using those ports for outgoing connections, to remote
> ports that look more normal. 80 and 119 for typical HTTP and NNTP traffic.

Usually the source ports in outgoing connections are much higher, like
32000+. 1030, 1031, etc. are pretty unlikely to be used as ephemeral
source ports.

--
Barry Margolin, barmar@alum.mit.edu
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***

Similar ThreadsPosted
Firewall shows ports being used in sqeuence December 5, 2005, 9:28 am
Re: Firewall shows ports being used in sqeuence December 5, 2005, 3:25 pm
IE shows ".url" extension!. January 17, 2006, 1:32 pm
Sniffer for Windows That Shows Process ID? October 10, 2007, 3:26 am
Configure DCOM client to use only a small range of ports (instead of random ports) August 16, 2006, 4:43 am
Router log shows port 1026 activity? May 8, 2006, 12:46 pm
HeadphoneTV.com - Best in StreamingTV! 27000+ episodes of your favorite shows without Downloading! December 2, 2006, 11:49 pm
how to enable the vpn ports in the pix firewall September 13, 2005, 6:18 am
Re: firewall - ports - never attached !!! July 19, 2007, 12:53 pm
Configuring F-Secure Firewall Ports December 23, 2004, 7:11 am

The site map in XML format XML site map

Contact Us | Privacy Policy