> Thanks for the correction. Rule #9 was blocking port 1524 as part of a
> set of rules to protect against trin00.
> I have found that port 783 is being used by the spamd portion of Spam
> Assassin but I'm still not sure why it decided to talk to port 1524 this
Firstly, your statement above implies that you have written your firewall
rules as "allow anything that is not explicitly prohibited". This is not
the ideal which is "allow only that which is explicitly permitted"
Secondly, you have to understand that in any communication there is a
source port and a destination port. A process that acts as a server
listens on a known port (25 for SMTP, 783 for spamd, etc.). The process or
machine that is connecting to that port chooses a source port for the
outgoing packets -- and then is listens for the returning packets on that
chosen port (source and destination ports will be reversed for returning
In the case above, the outgoing packets had a destination port of 783 and
a source port of 1524. Had there been any returning packets, those packets
would have had a destination port of 1524 and a source port of 783.
In most cases, the source port can be any port, subject to a few
limitations: most unix-like OSs restrict ports 0-1023 such that only root
can use. Other than that, the source port of the outgoing packet can be
anything and it will change each time a new connection is made. It just
happened that in this case, port 1524 was chosen as the source port when
the communication with spamd was made.
The bottom line is that you need to get some better rules in place. There
are many examples on the web.