What are the vital ports (if there are any) between 1024 and 10000 that I should keep open? In my case, my Linux firewall is being spammed by something in that vicinity. The odd thing is, initially I blocked ports 3000-5800 and everything went back to normal - however, a few hours later the ping was skyhigh and packet loss >20% again. When I blocked 3000-6000, no webpage could be loaded (AFAIK, all vital ports for browsing should be < 1024). I now also dropped everything from 2000 to 3000 and things seem to be normal again, but I have no way of remotely checking if the local networks can actually access the Internet. There's a couple of questions I'd like to ask: 1) Is there any way of knowing which port(s) get(s) this extra activity without having some traffic grapher installed? 2) Is it possible to write a script that would automatically block a port if the number of requests on it is too high (also, is there any place to get this script because I can't write it)? 3) Are there virii that adapt to blocked ports (eg, pick a new port if they see they can't get through) - what's the best way of identifying them if I don't know the precise port they're using? 4) Is there any way of remotely testing whether a subnet terminal can access the Internet without having access to that terminal (I only have access to the Linux router, which can see both inside as well as outside)? Thanks for your time!

How are you blocking these ports?

a simplistic approach might end up blocking the packets because the client is coming from ports that high, not because it's talking to ports that high. (and remember: when the server responds, the destination port is that high address on the client)

I'm using a simple FORWARD chain port range DROP, eg:

iptables -A FORWARD -p TCP --dport 3000:5800 -j DROP

It makes no difference what the traffic is for or where it comes from, or where it goes to - currently it's leeching the entire connection dry (ping goes up to 500-800 and packet loss surges to 20-30%).