Source Ports are not normal

[dannyjones]

I just setup a PIX 520 6.1(1) -- I've got all the access-lists, groups, and NAT setup -- but I'm not able to restrict inbound activity based on the source port because the source ports I'm seeing in the log are just all over the board (29423, 39351, etc.). If I set the source port in the rule to "any" then it works fine. Why isn't the traffic coming in on port 80, like it should for http? Shouldn't I be able to restrict inbound connections based on the source port?

Personally, I think it's because my ISP (where I have the hardware installed) must have PAT turned on somewhere in one of their routers. But they claim they don't have PAT turned on. But why would I see weird port numbers that increment on my source addresses in the log?

Any ideas? Feedback? Thanks in advance!

 

[yizhar]

HI.

Most protocols do not define the source port, so you simply should not make rules based on source ports.

Remember that the pix is a stateful firewall.
If the local workstation 10.0.0.9 creates an outbound connection to web server 111.222.333.444 port 80, then the return traffic will automatically be allowed for the duration of the TCP session.
This is the same for inbound connections from the Internet to your local/DMZ servers.

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar