Kinkie wrote: >> That supposes that the connection are with legitimate clients, but since >> the OP referred to "SOME.RANDOM.IP.ADDR", and "connections ... to the >> outside world", I suspect it was an open proxy. > > Maybe.. It depends on how random they are... > Still the "destination port is random, source port is my service port" > pattern is typical in the scenario I described. > I'm not disputing that. When you start or restart a firewall it's common for established TCP connections to be disrupted. That's perfectly normal and doesn't require any changes to keep-alives etc. What's more important is the question of whether the proxy was open, or whether he simply failed to recognize his own IP addresses. People who abuse open proxies aren't normally downloading bible-study material. I was disputing "nothing to worry about".