This is a really quick reply, so apologies if anything is incorrect or unclear. Look into the behavior of all your services...I believe some app's will create a new socket elsewhere (53000 for example) once a valid connection has been initiated. Like apache...httpd will spawn multiple threads, and each thread will answer requests. 80 is simply the service port that is being listened to...actual traffic back and forth takes place on other ports, I believe. These are allowed by the firewall because they aren't NEW connections, they are existing sockets that are simply adding new ports.

That is general info, you'll have to check into specifics yourself. Sorry its not more complete, I'm running out the door as soon as I post this!