I'm using a router-firewall as the first line of defense, along with Zone Alarm as the second. I've seen some entries that shouldn't be in my Zone Alarm's log -- the examples are below.
FWIN,2005/09/22,21:18:10 +2:00 GMT,81.106.248.60:2500,my.ip:2561,TCP (flags:S) FWIN,2005/09/22,21:28:34 +2:00 GMT,81.106.248.60:3101,my.ip:2561,TCP (flags:S) FWIN,2005/09/22,21:38:32 +2:00 GMT,81.106.248.60:3719,my.ip:2561,TCP (flags:S) FWIN,2005/09/22,21:45:40 +2:00 GMT,81.106.248.60:4184,my.ip:2561,TCP (flags:S) FWIN,2005/09/22,21:55:56 +2:00 GMT,81.106.248.60:4917,my.ip:2561,TCP (flags:S) FWIN,2005/09/22,22:04:32 +2:00 GMT,81.106.248.60:1256,my.ip:2561,TCP (flags:S) FWIN,2005/09/22,22:12:30 +2:00 GMT,4.79.142.206:35117,my.ip:4661,TCP (flags:S) FWIN,2005/09/22,22:12:30 +2:00 GMT,4.79.142.206:35117,my.ip:4663,TCP (flags:S) FWIN,2005/09/22,22:12:30 +2:00 GMT,4.79.142.206:35117,my.ip:4664,TCP (flags:S) FWIN,2005/09/22,22:12:30 +2:00 GMT,4.79.142.206:35117,my.ip:4665,TCP (flags:S) FWIN,2005/09/22,22:14:54 +2:00 GMT,81.106.248.60:1594,my.ip:2561,TCP (flags:S) FWIN,2005/09/22,22:29:44 +2:00 GMT,81.106.248.60:1880,my.ip:2561,TCP (flags:S) FWIN,2005/09/22,22:43:54 +2:00 GMT,81.106.248.60:2132,my.ip:2561,TCP (flags:S)
FWIN,2005/09/23,09:18:22 +2:00 GMT,81.249.136.83:3207,my.ip:2136,TCP (flags:S) FWIN,2005/09/23,09:28:26 +2:00 GMT,81.249.136.83:3438,my.ip:2136,TCP (flags:S)
Basically: ports 4661-4665 shouldn't have been blocked since they were connected to eMule at that time. As for ports 2561 and 2136 -- I have no clue how they got there: they are not portforwarded in the router, and should have been blocked at the first line of defense.
Any thoughts on this? My only suspect right now is Kademlia network in eMule, but I don't know how it can confuse the readings since it should only be using UDP port 4672.