shouldnt TCP connections made to port 80 come from port 80 as well? or what port do they usually come from when a regular user has a regular browser?
i wonder because i wonder if i can limit incoming ports on my firewall
tcp 6 156441 ESTABLISHED src=88.242.44.86 dst=74.208.112.246 sport=1164 dport=80 packets=4 bytes=172 src=74.208.112.246 dst=88.242.44.86 sport=80 dport=1164 packets=1 bytes=52 [ASSURED] mark=0 use=1
tcp 6 156065 ESTABLISHED src=78.186.69.124 dst=74.208.112.246 sport=3133 dport=80 packets=4 bytes=168 src=74.208.112.246 dst=78.186.69.124 sport=80 dport=3133 packets=1 bytes=48 [ASSURED] mark=0 use=1
tcp 6 132805 ESTABLISHED src=88.238.245.86 dst=74.208.112.246 sport=3526 dport=80 packets=4 bytes=172 src=74.208.112.246 dst=88.238.245.86 sport=80 dport=3526 packets=1 bytes=52 [ASSURED] mark=0 use=1
Best Answer
No, it comes in from the ephemeral ports.
First some basics. A socket, consists of a source port and address, and destination port and address. That socket describes a single line of communication. A socket describes one connection. When packets are received by the operating system it looks at these bits of information to decide what application should get the packet. If you wish to see these connections look at the output of netstat.
If everything destined for port 80 originated from port 80 then you could only ever have one connection between 2 IP addresses. In the real world we frequently want to have multiple connections open to a web (or other) server so we can retrieve things in parallel.
You should also consider the case of something doing network translation (NAT) or more descriptively and more common these days, Port Address Translation. It would be completely unacceptable to only allow one system behind the NAT device to make connections at a time.. So source ports are assigned to each outgoing connection. The NAT devices has to keep a translation table that keeps track of what port+address combinations on the outside belong to what port+address combinations on the inside.