Firewall configuration for Firefox's new plugin-container.exe??

Discussion in 'other firewalls' started by Keyboard_Commando, Aug 3, 2010.

Thread Status:
Not open for further replies.
  1. Keyboard_Commando

    Keyboard_Commando Registered Member

    Joined:
    Mar 6, 2009
    Posts:
    690
    Hi, I am looking for the safest way to configure the new feature in Firefox, the 'plugin-container.exe'. My firewall now requires a seperate plugin-container set of rules - nice of Firefox to make life more difficult.

    Should I apply the same set of firewall rules to plugin-container, same as for the browser? as described here. The browser plugins functioned through Firefox with no problems using these.

    My other question is, do I also apply UDP rules (in the link) to plugins, or should plugins only need TCP outgoing connections? Can I block all outgoing/incoming UDP connections?. The reason I ask, my browsing trials so far haven't shown up one request from plugin-container for UDP outgoing. (I realise this question might differ from pc to pc) but are there any foreseen problems?

    Any thoughts on this are appreciated. Thanks.
     
  2. wat0114

    wat0114 Guest

    Only remote TCP port 1935 is required for the plugin-container. The only other FF rule I have, besides for the browser, is for updater.exe, which I restricted to remote TCP ports 80 & 443. Hope this helps :)
     

    Attached Files:

  3. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    1,732
    >> nice of Firefox to make life more difficult.

    idd - firefox has less crashes wit this feature :D (although i never had really crashes)
    please read about before you judge.

    rules - some firewalls need nothing - some firewalls blocks all.
    i gave same rights but EXE never wanted web access.
    HIPS here (Malware Defender) granted access back to firefox.exe

    oh, i see - port 843 for something to adobe - but thats normal
    cause it uses Flash in the container. otherwise NO web access.
    (in the list with firefox 3.6, nothing for firefox 4.0 beta)

    btw blocking plugin-container.exe causes firefox or flash hanging or crashing.
    (EXE supports IMO REAL, QT and MS Silverlight plugin)

    you cant turn the container off but then you will get firefox crashes back.
    for less reasons users should do that but not in general.
     
  4. Keyboard_Commando

    Keyboard_Commando Registered Member

    Joined:
    Mar 6, 2009
    Posts:
    690
    Hey thanks for the reply mate. I set up the firewall to run plugin-container just TCP outbound port 1935, but some flash wouldn't load, but only for some sites. I tried a whole bunch of websites playing clips to test this. So I added ports 80, 443, 843, and 443 seems to be the one that cures it for me! I left the 2 orthers as well, just incase.

    @ Brummelchen, apparently so. Firefox may have reduced crashes with this added feature. I did resist change and disabled the plugin-container totally. But it wasn't playing too well with Sandboxie. Anyway looks like it is all sorted now. And I can enjoy a crash-free Firefox, maybe. Thanks.
     
  5. wat0114

    wat0114 Guest

    Okay, interesting, I've yet to see the need for port 443 yet, but I'll keep it in mind if I encounter a Flash site that doesn't work with my rule. Anyway glad it works for you.
     
  6. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,648
    Location:
    Hawaii
    Doofus has a question: Should this be applied to incoming & outgoing packets? Or only to outgoing?
     
  7. wat0114

    wat0114 Guest

    Aloha bellgamin!

    only an outgoing rule is necessary. For example:

    Application=plugin-container.exe

    Protocol=TCP

    Direction=Outbound

    Remote port=1935, 443

    local port= Any

    Remote ip= Any

    Local ip= any (or for XP you could use the ephemeral range=1024-5000)
     
  8. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,648
    Location:
    Hawaii
    Mahalo nui loa -- MANY thanks! :thumb: :D
     
  9. luciddream

    luciddream Registered Member

    Joined:
    Mar 22, 2007
    Posts:
    2,497
    It's actually better this way, it gives you more granular control over the feature. Before it was just bundled in with Firefox and had a "mind of it's own" so to speak.

    I have it blocked and I've never had any problems. No crashes, and videos load just fine. The way I see it I deny everything I don't know a lot about by default. If it ruins the functionality for something I need, then I'll allow it. If not... then it doesn't need the access rights it's asking for.
     
  10. nmaynan

    nmaynan Registered Member

    Joined:
    Mar 2, 2008
    Posts:
    98
    The new setup with the Plugin-Container.exe is better than the previous way. You can go ahead and block the plugin-container from internet access without any problems.

    The container gives you more control over the plugin behavior. Blocking it keeps plugins from "phoning home" for unnecessary reasons.

    Firefox's change is a positive for privacy and plugin control! It gives the user more control and more stability.
     
  11. hugsy

    hugsy Registered Member

    Joined:
    May 22, 2010
    Posts:
    167
    Hm funny, i have blocked plugin-container from accessing the web and everything works just fine (youtube etc) o_O?
     
  12. datarishik

    datarishik Registered Member

    Joined:
    May 11, 2010
    Posts:
    182
    Which plugins are known to be phoning home? Thanks for the information.
     
  13. wat0114

    wat0114 Guest

    Depending on the website/content, your luck may run out. If I block it and attempt to view videos at calgarysun.com...

    Code:
    The Windows Filtering Platform has blocked a packet.
    
    Application Information:
    	Process ID:		1792
    	Application Name:	\device\harddiskvolume1\program files (x86)\mozilla firefox\plugin-container.exe
    
    Network Information:
    	Direction:		Outbound
    	Source Address:		192.168.1.68
    	Source Port:		49609
    	Destination Address:	207.148.159.76
    	Destination Port:		1935
    	Protocol:		6
     

    Attached Files:

  14. wutsup

    wutsup Registered Member

    Joined:
    Sep 20, 2009
    Posts:
    630
    Location:
    United States
    you can disable the plugin container by going to about:config in firefox and type in IPC, and change them all to false
     
Loading...
Thread Status:
Not open for further replies.