If you take a look at the following entry of my log file you will see that someone from source port 80 is connecting to (or trying to?) my local port 1077. So I am curious. Which software is running
Markus A. Radner wrote: there, or at any
other (high) port of interest? Is there any way to find out? (OK, I know that there's a list of ports and protocolls for low ports in /etc/protocolls; but what about higher ports?)
SuSE-FW-ACCEPT IN=eth0 OUT= MAC=00:a0:d1:d5:b4:3c:00:09:5b:a8:3e:c0:08:00 SRC=64.151.x.x DST=192.168.0.2 LEN=52 TOS=0x00 PREC=0x00 TTL=46 ID=2083 PROTO=TCP SPT=80 DPT=1077 WINDOW=7504 RES=0x00 ACK URGP=0 OPT (0101080A91D5DF560015679A)
Again, this is the *answer* from the http server at 64.151.x.x, port 80. Basically (most times), tcp/udp services accept connections on low ports (<1024), and clients connect to these services using high ports (>1024). Return packets use the same connection (ports).
And don't forget that NAT has been done meanwhile. NO ONE CAN ROUTE TO THE LOCAL 192.168.0.2 Address from outside. Exactly you have to say that NAT (Network Address Translation) and PAT will be done by the SUSE Firewall. Both in combination is called MASQUERADING. This manipulates the answer-packages. Otherwise your LAN behind the firewall can't address locations in the internet. I am sure that you have only one official IP given by your provider! All clients in your LAN have to share this one IP. And this will be done by MASQUERADING. So you can't conclude from the given log-entry to the real allocated port from outside. For this you have to do a *tcpdump* on your outside-interface. And then do another http-request. This will answer many of the confusion. Tom