Is it okay to allow inbound connections for browsers?

Discussion in 'other firewalls' started by sm1, Sep 30, 2011.

Thread Status:
Not open for further replies.
  1. sm1

    sm1 Registered Member

    Joined:
    Jan 1, 2011
    Posts:
    520
  2. blacknight

    blacknight Registered Member

    Joined:
    Sep 25, 2007
    Posts:
    2,434
    Location:
    Europe
    There are no reasons to allow inbound connections; and they are only risky for security.
     
  3. sm1

    sm1 Registered Member

    Joined:
    Jan 1, 2011
    Posts:
    520
    The profile for the adapter is set to public and all ports are stealth. But the setting to allow incoming traffic to browsers is confusing. I wonder whether this will be used by a malicious website to gain entry.
     
  4. wat0114

    wat0114 Guest

    A browser should only require an outgoing rule. Try it that way and if it works, then there's no need to enable incoming for it. I haven't used Bitdefender so I'm not sure how the rule behaviour works with it, but outgoing is all that should be needed.
     
  5. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    Are you using P2P on it?
     
  6. King Grub

    King Grub Registered Member

    Joined:
    Sep 12, 2006
    Posts:
    814
    NIS creates allow inbound rules for Firefox too.
     
  7. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,275
    Some browsers include in their installation somewhat hidden, non-obvious, chat plugins or extensions or file and picture sharing local server. Unless those, often hidden, installed items are disabled, automatic rule creation will make rules for incoming connections. I recently saw Chatzilla in SeaMonkey browser, a close relative to Firefox. And Opera might come with a sharing thing - easily disabled, but one needs to watch this sort of thing. Disable those extras and watch the firewall rules and logs.

    Just my 5 cents :)
     
  8. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    Firewall rules should not allow inbound packets.

    This rule is universal. Some of these suites or 3rd party products create rules at setup and they are never TOO tight always TOO loose.

    If you are using genrated rules from BD, what I would do is go through every application rule set and delete any inbound rule.

    If there are no incoming rules then all unrequested incoming packets will be denied.

    If you are behind a router that is even better.:cool:
     
  9. siberianwolf

    siberianwolf Registered Member

    Joined:
    Feb 15, 2009
    Posts:
    516
    if you ain't familiar w/ setting fw rules and ain't knowledgeable 'bout the way they work under the hood, then my fella, you should not mess w/ the default settings.
    cheers
     
  10. siberianwolf

    siberianwolf Registered Member

    Joined:
    Feb 15, 2009
    Posts:
    516
    and here's your 3¢ change. all it takes is 2¢. :p
     
  11. Seer

    Seer Registered Member

    Joined:
    Feb 12, 2007
    Posts:
    1,596
    Location:
    Singidunum
    Yes they should, for any connectionless protocol. A rule to allow inbound TCP (for a browser) suggests a packet filter unable to keep track of TCP connections.

    It depends on your firewall. Do you have DNS service (in services.msc) enabled? If so, as suggested, try limiting FF to TCP, outbound only. If it breaks, then you're using a stateless firewall.
    But even if a firewall is stateful, if the DNS service is disabled, then FF will make its own lookups (over UDP), so that may explain a need for such an open rule.
     
  12. sm1

    sm1 Registered Member

    Joined:
    Jan 1, 2011
    Posts:
    520
    Thanks for the suggestions:) . I will try outbound only rules for browsers. I have also created a thread in bitdefender forum. Let's see what I can get from them.
     
  13. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    Hi Nick:

    I suggest the orginal poster read and study Stems thread:

    https://www.wilderssecurity.com/showthread.php?t=142036

    UDP is without direction BUT we are attempting to limit incoming packets to ONLY those we have requested.

    Have a look at the stickies rules for Browsers again:cool:
     
  14. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,275
    In my opinion, based on Paranoid/Stem thread, and Paranoid guide to secure Outpost and CrazyM rules, inbound connection not needed. Because whether it's DNS by svchost, or application rules (DNS client service off), computer establishes outbound connection, and the DNS server's incoming UDP replies follow on that connection.
    DNS server is not connecting to the computer.
    I still think it's something installed within the browser which causes automatic rule to permit inbound connection.
     
  15. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    It could be! Those stickies of Paranoid and Stem are great references!
    wonder what he could have going on with that browser?
     
  16. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,275
  17. sm1

    sm1 Registered Member

    Joined:
    Jan 1, 2011
    Posts:
    520
    Bitdefender firewall doesn't seem to remember the custom settingso_O . After I set outbound only rules for browsers it reverted back to both direction (default) settings. There are tests to analyse firewall for outbound connections. Is there any test that test inbound security using our browser? I think pcflank has such a test. I have to check that site. I cannot use GRC as only my modem firewall can be tested with it.
     
  18. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses

    Thanks, I was there in the past with these presets that outpost generates for you if the user doesn't disable the updates to rules.

    I went through mine 1 by 1 removed ALL allowed incoming. Some products have hidden hard coded in/outs. But lets not go down that path. The only way to stop that is don't use the product OR block their ip/web sites.

    The gurus there indicate that they find these presets too loose for most of us tweaker people (me)

    When we install add ins knowingly or by error they then to some extent they seem to bypass our rules. Don't like that much.
     
Loading...
Thread Status:
Not open for further replies.