from port 80 to ports above 1024 on the outside. What is this?!
If you are seeing dropped packets from port 80 on your web server (or from port 25 on your mail server) to high ports on the outside, they usually DO NOT mean that your web server is trying to connect somewhere. They are the result of the firewall timing out a connection, and seeing the server retransmitting old responses (or trying to close the connection) to the client. TCP connections always involve packets traveling in BOTH directions in the connection. If you are able to see the TCP flags in the dropped packets, you’ll see that the ACK flag is set but not the SYN flag, meaning that this is actually not a new connection forming, but rather a response of a previously formed connection. Read point 8 below for an in-depth explanation of what happens when TCP connections are formed (and closed) C.9 The anatomy of a TCP connection TCP is equipped with 6 “flags”, which may be ON or OFF. These flags are: FIN “Controlled” connection close SYN Open new connection RST “Immediate” conne
