Do browsers need inbound/incoming firewall rules?

General project discussion.
Use this as a last resort if your topic does not fit in any of the other boards but it still on-topic.
Forum rules
This General Discussion board is meant for topics that are still relevant to Pale Moon, web browsers, browser tech, UXP applications, and related, but don't have a more fitting board available.

Please stick to the relevance of this forum here, which focuses on everything around the Pale Moon project and its user community. "Random" subjects don't belong here, and should be posted in the Off-Topic board.
User avatar
back2themoon
Moon Magic practitioner
Moon Magic practitioner
Posts: 2412
Joined: 2012-08-19, 20:32

Do browsers need inbound/incoming firewall rules?

Unread post by back2themoon » 2024-04-25, 11:24

I think I've asked about this in the past, but couldn't find the post.

So, I've noticed that upon installation all browsers I tried add Inbound rules to the Windows Firewall. The question is... why? Brave adds a single UDP Inbound rule (local port 5353) "to allow mDNS traffic". Firefox and Pale Moon add both TCP/UDP rules, no ports specified i.e. all ports.

After a brief search, I mostly encountered two types of answers:

a) Disable them: not required, perhaps even risky.
b) Needed for some non-standard connections/applications, related to chat/streaming/gaming etc. which perhaps Pale Moon doesn't support anyway. Firefox might even need these for telemetry-related connections.

I'm fairly certain these rules were not added by Pale Moon a few years back, but at some point this changed. After some quick tests, disabling them doesn't seem to affect anything.

Any thoughts? Are there potential security risks and what are these rules needed for, exactly? Thanks.

User avatar
Pentium4User
Board Warrior
Board Warrior
Posts: 1148
Joined: 2019-04-24, 09:38

Re: Do browsers need inbound/incoming firewall rules?

Unread post by Pentium4User » 2024-04-25, 11:32

mDNS is being done solely by the OS if an mDNS client is installed (Avahi on Linux, Bonjour on Windows).
I don't know why a browser should be able to receive mDNS traffic.
The profile picture shows my Maico EC30 E ceiling fan.

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 35753
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: Do browsers need inbound/incoming firewall rules?

Unread post by Moonchild » 2024-04-25, 12:16

The only firewall rules created are those for the "private" profile, i.e. loopback connections. This would be necessary for some devtools usage and doesn't actually open it up to the outside. I haven't really looked in detail when Mozilla added this because since it's private use, there would not be a risk.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

Post Reply