The firewall state table keeps track of connections more closely that.
A machine on the local LAN could open port 80 as the source port on an
outbound connection, but only whatever it was talking to would be able
to talk back to it, since the state table tracks source and destination
address and port.
I may have missed part of this conversation, but I don't think I've seen
which version of Monowall this was referring to. If this is with the
1.3 beta, I have seen some really weird things using it as well (though
my issues were all related to protocols other than TCP).
From: David Burgess [mailto:apt dot get at gmail dot com]
Sent: Wednesday, May 23, 2007 12:58 PM
To: Monowall Support List
Subject: Re: [m0n0wall] Mystical open port 80...can't block
Couldn't a connection from originating on the LAN open port 80 and keep
open? Like a trojan or something? If you have a rule to explicitly block
that port but there is already a session open there, then wouldn't
the firewall state table kill the session and block the port