Difference in Firewall Configuration

What security (if any) am I giving up by selecting Custom:

Allow TCP Out from MAC Any to MAC Any Where Source Port is Any and Destination Port is Any

instead of the predefined:

Web Browser

I’m getting CPU spikes from Firefox 4.0 Beta 11. I had my settings set to Web Browser and I’m trying to troubleshoot the problem. I’m suspecting that Firefox is trying to do something and is being blocked by CIS. I changed my settings to Custom to see if the spikes go away. There are no Firefox blocks being reported in my CIS logs, so this may not be the case.

You won’t be loosing anything by using custom rules, the only thing you will have to do, if required, is recreate each rule manually.

Personally, I’ve been using nightly builds of firefox for a long time (currently 4.0b12pre) and my rules for the browser are really simple:

Allow UDP out to my router port 53 (DNS)
Allow TCP out All port 80
Allow TCP out All port 443
Allow TCP out any port
Block and log

I don’t use the browser for FTP and any non-standard port requirements will show in the logs.

You will also need rules for the plug-in container. Unfortunately, these might be a little more problematic, as web sites that requite fx plug-ins don’t all use the same ports. At the least, you’ll probably have to add:

Allow UDP out port 53 (DNS)
Allow TCP out to port 1935

You’ll more than likely need rules for TCP out to port 80 and 443. If you add an Ask an log, you’ll soon find out if any additional ports are needed.

With regard to the CPU spikes, I know you didn’t have much luck in the builds forum and it’s not something I’ve really had a problem with. The only time I see any additional CPU activity, is when a plug-in loads but it doesn’t last long.

When you created a new profile, did you disable Directwrite and HW acceleration? if you type about:support in the URL bar, the information at the bottom of the page identifies your current graphics set-up. On the subject of graphics, are you using Intel, Nvidia or ATI, also which drivers.

Another possibility, it’s one of the other components of CIS (D+, sandbox, AV) that’s causing the problem. I only use the firewall.

I had DirectWrite disabled but left HW acceleration enabled. I also tried it with it disabled but the results were the same. I have NVidia as graphics and am using an AMD processor.

FF Board link: FF 4.0b9, 10 and 11 CPU Spikes • mozillaZine Forums

FF Bugzilla link: 633674 - FF 4.0b9, 10 and 11 CPU Spikes

I’ve had no luck with either one of the above. It got me thinking about CIS, so I removed FF from the Firewall Network Security Policy (it was entered as Web Browser) and let CIS ask me for permission again. This time I just answered with Allow when prompted. It only prompted once on FF launch. If this cures my woes, I’ll consider your settings as a followup. I use Total Commander as my FTP client, so I won’t need to worry about those settings. Thanks for the help!


Did the CPU spikes coincide with any particular changes to your system, graphics card driver updates, for example?

No, nothing has changed for a long time. It all started with FF 4.0b9. Previous betas worked fine. BTW, soon after my last post, I got another spike! I guess it wasn’t my firewall settings after all. This really has me puzzled. I’m not too worried unless it carries over to the final release of FF 4.0. If it does, I’ll have to switch over to Mozilla SeaMonkey for my browser. I don’t want to, I really like Firefox. I’m out of guesses. I hope beta 12 will have it cured.

For what it’s worth, it may be worth while taking a look at the change logs for Beta 9, maybe something will ‘spring to mind’

Mozilla Firefox 4 Beta Release Notes
complete changelist from the previous beta