It's not a big thing, but I noticed a few hits on my firewall (iptables) that don't make a lot of sense. Looking deeper I have actually seen the same sort of hit on a couple of not-even-close boxes I have online. The relevant section of my iptables script: All fairly boring, with the added security of specific stateful-packet-inspection (originally put in for some logging metrics). And this is what is showing up in the logs ... a lot of those (hundreds per day), from various IP addresses. To my understanding, there are two explanations for this. 1) I am browsing a website and the response isn't making it back though. Possible, but I am not browsing at all, and any legitimate checks (updates etc) were disabled for testing. Also, the firewall should allow the established connection through. Finally standard browsing/wget/yum/apt etc are all working fine. or 2) People are attempting to port scan, by appearing as a legitimate http responses. Now I understand port scanning (and see a fair bit of it on the standard set of ports), but why would you go after these VERY random high ports, seriously who is running something on 1824, 32803, 43733, 1234, 17258, 12524 or any of the hundreds of other random ports. Am I missing something?