Is it okay to allow inbound connections for browsers?

I am using Bitdefender Internet Security 2012. In application rules for firefox, IE incoming traffic is allowed by default. The firewall has general settings to block incoming ICMP. Do I need to block incoming connections for browsers? Any advice will be helpful. I have attached screenshots of firewall settings

http://i55.tinypic.com/2ia5pmp.jpg

http://i51.tinypic.com/24m8hkw.jpg

http://i56.tinypic.com/ejfvpy.jpg

 

There are no reasons to allow inbound connections; and they are only risky for security.

 

The profile for the adapter is set to public and all ports are stealth. But the setting to allow incoming traffic to browsers is confusing. I wonder whether this will be used by a malicious website to gain entry.

 

A browser should only require an outgoing rule. Try it that way and if it works, then there's no need to enable incoming for it. I haven't used Bitdefender so I'm not sure how the rule behaviour works with it, but outgoing is all that should be needed.

 

Are you using P2P on it?

 

NIS creates allow inbound rules for Firefox too.

 

Some browsers include in their installation somewhat hidden, non-obvious, chat plugins or extensions or file and picture sharing local server. Unless those, often hidden, installed items are disabled, automatic rule creation will make rules for incoming connections. I recently saw Chatzilla in SeaMonkey browser, a close relative to Firefox. And Opera might come with a sharing thing - easily disabled, but one needs to watch this sort of thing. Disable those extras and watch the firewall rules and logs.

Just my 5 cents

 

Firewall rules should not allow inbound packets.

This rule is universal. Some of these suites or 3rd party products create rules at setup and they are never TOO tight always TOO loose.

If you are using genrated rules from BD, what I would do is go through every application rule set and delete any inbound rule.

If there are no incoming rules then all unrequested incoming packets will be denied.

If you are behind a router that is even better.

 

Yes they should, for any connectionless protocol. A rule to allow inbound TCP (for a browser) suggests a packet filter unable to keep track of TCP connections.

It depends on your firewall. Do you have DNS service (in services.msc) enabled? If so, as suggested, try limiting FF to TCP, outbound only. If it breaks, then you're using a stateless firewall.
But even if a firewall is stateful, if the DNS service is disabled, then FF will make its own lookups (over UDP), so that may explain a need for such an open rule.

 

Thanks for the suggestions . I will try outbound only rules for browsers. I have also created a thread in bitdefender forum. Let's see what I can get from them.

 

Hi Nick:

I suggest the orginal poster read and study Stems thread:

https://www.wilderssecurity.com/showthread.php?t=142036

UDP is without direction BUT we are attempting to limit incoming packets to ONLY those we have requested.

Have a look at the stickies rules for Browsers again

 

In my opinion, based on Paranoid/Stem thread, and Paranoid guide to secure Outpost and CrazyM rules, inbound connection not needed. Because whether it's DNS by svchost, or application rules (DNS client service off), computer establishes outbound connection, and the DNS server's incoming UDP replies follow on that connection.
DNS server is not connecting to the computer.
I still think it's something installed within the browser which causes automatic rule to permit inbound connection.

 

It could be! Those stickies of Paranoid and Stem are great references!
wonder what he could have going on with that browser?

 

Yup, but so are the so clearly described CrazyM rules in the sticky in this forum section.

Browser issue - Escalader, just check this one out - 2 browsers, 2 applications do it
http://www.outpostfirewall.com/forum/archive/index.php/t-26392.html?

 

Bitdefender firewall doesn't seem to remember the custom settings . After I set outbound only rules for browsers it reverted back to both direction (default) settings. There are tests to analyse firewall for outbound connections. Is there any test that test inbound security using our browser? I think pcflank has such a test. I have to check that site. I cannot use GRC as only my modem firewall can be tested with it.

 

Thanks, I was there in the past with these presets that outpost generates for you if the user doesn't disable the updates to rules.

I went through mine 1 by 1 removed ALL allowed incoming. Some products have hidden hard coded in/outs. But lets not go down that path. The only way to stop that is don't use the product OR block their ip/web sites.

The gurus there indicate that they find these presets too loose for most of us tweaker people (me)

When we install add ins knowingly or by error they then to some extent they seem to bypass our rules. Don't like that much.