Firewall shows ports being used in sqeuence

Are you absolutely sure they're *accepting* connections on those ports?

I'd wager they're using those ports for outgoing connections, to remote ports that look more normal. 80 and 119 for typical HTTP and NNTP traffic.

Internet related software using an arbitrary local port to establish outgoing connections is expected and necessary. And yes, they generally establish multiple connections using more or less sequential port numbers. Especially web browsers. Mine is configured to make as many as 64 at a time, although I've never seen it actually do that. News readers typically don't make more than 3 or 4 at a time, as NNTP servers won't allow it.

From: "Alix"

| What could be causing my apps to accept connections to use local | ports in sequence? Below are some more details. | | Thank you for any help. | | Alix | | ------ | | I run on XP Pro on cable with no other PCs or devices attached to | the network. | | I use the free FILSECLAB firewall. My firewall is ANTIVIR. For | my browser I use OPERA and my newsreader is NEWSBIN PRO. | | I have scanned my PC for viruses and for other malware or adware. | | ------ | | The monitor feature in the FILSECLAB firewall shows that simply to | do their work, the browser and newsreader are accepting | connections which come into my local ports numbered 1030, 1031, | 1032, 1033, etc. The sequence is not precisely followed but more | or less that is what is happening. | | It doesn't seem like a port scan as it seems too slow and anyway | it is closely correleated with my own use of my applications. | | But it seems very odd. | | Each time I boot the PC and launch Opera to Google somewhere, | there is a pause for a second or two for this FIRST web page and | the status line says: "Connecting to

". Then it | frees up. | | What could be causing this sequential use of local ports? Is it | something I might have set in XP's registry?

You said -- "My firewall is ANTIVIR." Care to rephrase that ? Do you really mean anti virus ?

Am Mon, 05 Dec 2005 14:28:49 +0000 schrieb Alix:

Read a book about TCP/IP, find about the magic formula call 'source port' and what distinguishes that from a 'destination port' and once you've understood that uninstall that piece of software firewall-crap.

Normal behaivior of an avarage TCP/IP stack.

No, just read a good book.

Wolfgang

################################# Correct. Both Unix and Windows use those ports as source ports. That's what is seen in the Local Address column on a netstat -an oputput. The Foreign Address column will have what you term as normal ports otherwise known as destination ports. That column is the important one when looking for unwanted connections. donnie

Usually the source ports in outgoing connections are much higher, like

32000+. 1030, 1031, etc. are pretty unlikely to be used as ephemeral source ports.

Oops. Yes, you are quite right.

The antivirus is ANTIVIR and the firewall is FILSECLAB.

Sorry for any confusion.

Wrong, it depends on the stack implentatin, in genaral the use of the port range from 1024 upwards as source-port is an absolutely normal stack behaivior.

Sample netstat output snippet from an avarage win2000 box:

C:\\Dokumente und Einstellungen\\wk>netstat -an

Aktive Connections

Proto Local Address Remoteaddress Status

TCP 192.168.1.3:1123 192.168.1.254:445 Established TCP 192.168.1.3:1131 192.168.1.254:143 Established TCP 192.168.1.3:1132 192.168.1.254:143 Established TCP 192.168.1.3:1133 192.168.1.254:22 Established TCP 192.168.1.3:1910 146.48.98.96:80 Established TCP 192.168.1.3:1911 146.48.98.96:80 Established TCP 192.168.1.3:1924 192.168.1.4:139 Established TCP 192.168.1.3:1931 192.168.1.254:25 Established TCP 192.168.1.3:1934 64.233.183.124:80 Established TCP 192.168.1.3:3389 192.168.1.19:41835 Established TCP 192.168.1.3:1939 64.233.183.124:80 Established TCP 192.168.1.3:1946 212.60.1.145:119 Established

Wolfgang

On Tue 06 Dec 2005 08:40:15, Wolfgang Kueter wrote:

I am the OP and I get the following sort of result. (Apologies if the line wrap does not work properly.)

You can see the port numbers go from 2087 to 2093. I suspect this morning they started at 1024 or something like that.

Pass Opera HTTP/Out 62.107.125.121/2087 194.201.98.217/80 0/60 12:59 ACK Pass Opera HTTP/Out 62.107.125.121/2087 194.201.98.217/80 54/0 12:59 ACK Pass Opera HTTP/Out 62.107.125.121/2087 194.201.98.217/80 54/0 12:59 ACK Pass Opera HTTP/Out 62.107.125.121/2087 194.201.98.217/80 728/116 12:59 domino.newhall.gov.uk/web/html.nsf/full- default.css Pass Opera HTTP/Out 62.107.125.121/2087 194.201.98.217/80 0/60 12:59 ACK Pass SYSTEM HTTP/Out 62.107.125.121/2089 172.16.16.16/80 62/0 12:59 SYN Pass Opera HTTP/Out 0.0.0.0/0 172.16.16.16/80 0/0 12:59 RDSD|RT:6|No.10000 Pass Opera HTTP/Out 62.107.125.121/2090 172.16.16.16/80 62/0 12:59 SYN Pass Opera HTTP/Out 62.107.125.121/2086 194.201.98.217/80 2805/77235 12:59 194.201.98.217/Committee/CE_CommRepository.nsf/vSCByCD? OpenForm&RestrictToCategory=Development+Committee&tip=committee Pass named UDP/Out 62.107.125.121/1025 199.166.31.3/53 2188/4140 12:59 RDSD|RT:10|No.10000 Pass SYSTEM HTTP/Out 62.107.125.121/2088 172.16.16.16/80 62/0 12:59 RDSD|RT:10|No.10000 Pass Opera HTTP/Out 0.0.0.0/0 172.16.16.16/80 0/0 12:59 RDSD|RT:6|No.10000 Pass Opera HTTP/Out 62.107.125.121/2091 172.16.16.16/80 62/0 12:59 SYN Pass Opera HTTP/Out 0.0.0.0/0 172.16.16.16/80 0/0 12:59 RDSD|RT:6|No.10000 Pass Opera HTTP/Out 62.107.125.121/2092 172.16.16.16/80 62/0 12:59 SYN Pass Opera HTTP/Out 0.0.0.0/0 172.16.16.16/80 0/0 13:00 RDSD|RT:6|No.10000 Pass SYSTEM HTTP/Out 62.107.125.121/2092 172.16.16.16/80 62/0 13:00 SYN Pass Opera HTTP/Out 62.107.125.121/2093 66.249.87.99/80 62/0 13:00 SYN Pass Opera HTTP/Out 62.107.125.121/2093 66.249.87.99/80 0/62 13:00 ACK Pass Opera HTTP/Out 62.107.125.121/2087 194.201.98.217/80 1060/412 13:00 RDSD|RT:10|No.10000 Pass Opera HTTP/Out 62.107.125.121/2086 194.201.98.217/80 0/60 13:00 ACK Pass Opera HTTP/Out 62.107.125.121/2086 194.201.98.217/80 54/0 13:00 ACK Pass Opera HTTP/Out 62.107.125.121/2086 194.201.98.217/80 54/0 13:00 ACK Pass Opera HTTP/Out 62.107.125.121/2086 194.201.98.217/80 0/60 13:00 ACK Pass SYSTEM HTTP/Out 62.107.125.121/2089 172.16.16.16/80 62/0 13:00 RDSD|RT:10|No.10000 Pass Opera HTTP/Out 62.107.125.121/2090 172.16.16.16/80 62/0 13:00 RDSD|RT:10|No.10000 Pass Opera HTTP/Out 62.107.125.121/2093 66.249.87.99/80 0/60 13:00 ACK Pass Opera HTTP/Out 62.107.125.121/2093 66.249.87.99/80 798/6133 13:00

Pass Opera HTTP/Out 62.107.125.121/2093 66.249.87.99/80 54/0 13:00 ACK Pass Opera HTTP/Out 62.107.125.121/2093 66.249.87.99/80 54/0 13:00 ACK Pass Opera HTTP/Out 62.107.125.121/2093 66.249.87.99/80 0/60 13:00 ACK Pass Opera HTTP/Out 62.107.125.121/2091 172.16.16.16/80 62/0 13:00 RDSD|RT:10|No.10000

[I have changed my IP number slightly to mask it's actual value.]

I posted the monitor from Filseclab so you could confirm that it reads as if it is a local port which is being used in the way I describe.

Are you saying that it is normal behavior of the TCPIP stack that I am going out of port 80 and using those ascending port numbers as I try to access various web and news servers?

I am going to get a hardare firewall when I can afford to.

What you observe is plain normal behaivior.

Of course, yes. There is a difference between client and server and destination port and source port. Both major transport protocols (which are tcp and udp) when connecting a service on a remote machine will contact the destination machine on the well known destination port for the particular service (80 for web/http, 119 for news/nntp, 110 for pop3, 25 for smtp ...) and use a random source port above usually above 1024 to recieve the answer packets from the remote machine. That is just how a tcp/ip stack works. Ascending source port numbers are nothing to worry about. Ascending TCP sequence numbers however would of course be a completely different story.

Please read documents like:

Your stack won't behave any diffrent with a hardware firewall. What you observe is totally normal behaivior and absolutely nothing to worry about.

Wolfgang

Thanks for the info Wolfgang. Thanks too for two very good links

I was thinking of the hardware firewall as better a replacememnt for a personal software firewall.

I find that the the config requirements of many software firewalls can get more complicated than I am able to handle! Things like making sure various utility servers get through (DHCP, UBR, DNS, etc) and distinguishing between WAN and private IP addresses all makes my head spin!