Closed Bug 1136772 Opened 10 years ago Closed 10 years ago

Suddenly Windows 7 firewall is blocking Firefox 36.0 on our network

Categories

(Firefox :: General, defect)

Product:
Firefox
Component:
General
Version:
36 Branch
Platform:
x86
Windows 7
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
firefox36 + wontfix
firefox37 + disabled
firefox38 + disabled
firefox39 + disabled
firefox40 + disabled

People

(Reporter: steven.kislowski1, Unassigned)

References

Details

Attachments

(1 file, 2 obsolete files)

screenshot
247.80 KB, image/png
Details
Attached file FFWFW.docx (obsolete) —
User Agent: Mozilla/5.0 (Windows NT 6.1; rv:35.0) Gecko/20100101 Firefox/35.0 Build ID: 20150108202552 Steps to reproduce: Launch Firefox version 36.0 Actual results: Windows 7 Firewall Blocked the application Expected results: Opened without the firewall blocking it.
Sounds like the fix for bug 1090535 didn't fix all possible cases.
Blocks: 1090535
Status: UNCONFIRMED → NEW
Component: Untriaged → General
Ever confirmed: true
(Thanks for the bug report, Steven!)
Brian, what do you think of adding Domain networks to the exception as well?
Flags: needinfo?(netzen)
Firefox 36 setup is no longer creating the firewall rules during installation. Instead Firefox 36 (at least on a Win 7 thats joined to a domain) creates 4 rules on its first startup: UDP and TCP, each one for the private and the domain profile. This is bad news for standard users, they have no permission to add firewall rules. Firefox 35.0.1 setup created just the rules for private network but even when started while configured for the domain profile there is NO Windows firewall prompt. If those inbound rules are only required for "Hello" it would be great if we just could turn that feature off during setup when its not used at all. No firewall rules required then. Another issue: when uninstalling Firefox 36, one rule (private, TCP) is not removed.
(In reply to Robert Strong [:rstrong] (use needinfo to contact me) from comment #3) > Brian, what do you think of adding Domain networks to the exception as well? Possibly? Sorry, I don't know off hand without testing it more.
Flags: needinfo?(netzen)
Forgive me, but do these threads mean that a revision is in the works?
[Tracking Requested - why for this release]: Nominating for tracking since there have been quite a few reports of this.
tracking-firefox36: --- → ?
When the network location (Private, Public, or Domain) is changed and no firewall rules are registered yet for the new network location, Windows Firewall dialog will pop up.
Firefox installer will only add a firewall rule for the Private network. If the user launched Firefox on a Public network location (e.g. public WiFi), the Firewall dialog will pop up. We can add a disabled firewall rule to suppress the Firewall dialog if the user does not have an Administrator privilege or if we think we shouldn't punch a hole on Public network locations.
Let's ask someone on the security team to evaluate this. Dan, could you or someone on the security team provide guidance regarding adding a windows firewall allow exception for Public and Domain networks?
Flags: needinfo?(dveditz)
Sorry if this has already been discussed elsewhere, but could the opening of this port be delayed until the first use of whatever feature needs it?
(In reply to Robert Strong [:rstrong] (use needinfo to contact me) from comment #10) > Dan, could you or someone on the security team provide guidance regarding > adding a windows firewall allow exception for Public and Domain networks? It's not clear to me what kind of guidance you are asking for here. What are the possible downsides here as you see them? (In reply to David Major [:dmajor] (UTC+13) from comment #11) > Sorry if this has already been discussed elsewhere, but could the opening of > this port be delayed until the first use of whatever feature needs it? The feature that needs this is detecting whether Roku devices exist on the network, to determine whether we should offer to mirror tabs/videos to them. So we can't really delay opening of the port. Bug 1087793 is probably the ideal solution here, if it is workable.
(In reply to :Gavin Sharp [email: gavin@gavinsharp.com] from comment #12) > (In reply to Robert Strong [:rstrong] (use needinfo to contact me) from > comment #10) > > Dan, could you or someone on the security team provide guidance regarding > > adding a windows firewall allow exception for Public and Domain networks? > > It's not clear to me what kind of guidance you are asking for here. What are > the possible downsides here as you see them? It has to do with whether or not Firefox should trust Public or Domain networks regarding the Firewall allow exception. See for further info http://windows.microsoft.com/en-us/windows/choosing-network-location#1TC=windows-7
For further clarification, I went with the safest allow exception security wise which is to only add the exception for Private networks. Also, the Private network is the one mentioned in the roku docs and I was unable to find mention of Public or Domain networks though there might very well be roku docs for them as well. If we are to also add allow exception for either Domain or Public networks I would want someone from the security team to ok it. As for creating deny exceptions for Public and Domain, I have no problem from a security perspective with going with that approach.
Regression, tracking.
status-firefox36: --- → affected
tracking-firefox36: ?+
Summary: Suddenly Windows 7 firewall is blocking Firefox 36.0 on our network, Anyone else having this issue? → Suddenly Windows 7 firewall is blocking Firefox 36.0 on our network
For what it's worth, there is some pertinent considerations regarding this bug in the comments section for this one : https://bugzilla.mozilla.org/show_bug.cgi?id=1111967 I mentioned it on that bugzilla post, and I'll mention it again here. Having this sort of functionality on by default seems like it's poking holes in, and compromising security for some users, especially those who are unfamiliar with the potential risks of SSDP and UPnP. Having this functionality off by default, and a simple button to enable might provide more security by default for users who have no use for this functionality.
Robert, do you have plans to work on this for 36.0.1 or is it something for 37? Thanks
Flags: needinfo?(robert.strong.bugs)
(In reply to Sylvestre Ledru [:sylvestre] from comment #17) > Robert, do you have plans to work on this for 36.0.1 or is it something for > 37? Thanks A decision still needs to be made about the approach to take so Firefox 37
Flags: needinfo?(robert.strong.bugs)
OK. Wontfix for 36 then. Thanks
status-firefox36: affectedwontfix
status-firefox37: --- → affected
tracking-firefox37: --- → +
Attached image screenshot
Attachment #8573617 - Attachment is obsolete: true
(In reply to Robert Strong [:rstrong] (use needinfo to contact me) from comment #10) > Dan, could you or someone on the security team provide guidance regarding > adding a windows firewall allow exception for Public and Domain networks? We should not add allow rules on the public network, and probably not on the domain network either unless we can justify this as an enterprise type feature (doesn't seem like it). Adding explicit deny rules would be nice so we stop alarming people or, worse, nagging them through the windows popups into adding an unsafe allow rule on public networks.
Flags: needinfo?(dveditz)
Severity: normal → major
Whiteboard: Hello,Forgive me, and I really appreciate the attention the team has given to this matter. I am not a developer but a software deployment administrator for an enterprise network. Our users can not create the exception for the firewall as they are not ad…
Version: 35 Branch → 36 Branch
Whiteboard: Hello,Forgive me, and I really appreciate the attention the team has given to this matter. I am not a developer but a software deployment administrator for an enterprise network. Our users can not create the exception for the firewall as they are not ad… → Could someone please summarize the what is causing the issue and why suddenly in version 36.0? also what the course of action is to remedy the problem?
Whiteboard: Could someone please summarize the what is causing the issue and why suddenly in version 36.0? also what the course of action is to remedy the problem? → Hello, Fogive me, I really appreciate the attention tha team has given this matter. I am not a developer but an Enterprise software deployment administrator for our network. Our users can not create the firewall expception as the are not administrators.…
Whiteboard: , I really appreciate the attention tha team has given this matter. I am not a developer but an Enterprise software deployment administrator for our network. Our users can not create the firewall expception as the are not administrators. Hence problem? → , I really appreciate the attention thr team has given this matter. I am not a developer but an Enterprise software deployment administrator for our network. Our users can not create the firewall expception as the are not administrators. Hence problem?…
Please put comments on the bug into comments and not the whiteboard. For getting help with issues as a user, please go to https://support.mozilla.org/
Whiteboard: Hello, Fogive me, I really appreciate the attention thr team has given this matter. I am not a developer but an Enterprise software deployment administrator for our network. Our users can not create the firewall expception as the are not administrators.…
The regression history in this bug has not been spelled out very clearly, so I think it was fine to ask for a summary. It will also help others who come across this bug. This started in version 36 due to the video device discovery feature added in bug 1054959. The FF installer adds a firewall rule to allow those connections through Private networks without prompting. On a Public network the prompt still comes up. If I understand correctly, you can say no to the prompt and the rest of FF will continue to work. There is currently a proposal to have the installer add deny rules for Public networks to silence the prompt.
Adding rules to the firewall, without the users knowledge, really shouldn't be allowed under any circumstances. Moreover, if the prompt is due to the Roku thing, it should be disabled by default and a UI option added to enable. - Bug 1111967.
We're definitely getting some bad press via social networks relating to this: Example: https://twitter.com/TimSweeneyEpic/status/574642590450081794 Seems like some people are assuming we are automatically opening ports for WebRTC which doesn't sit well with some users. Is there anything else we can do differently rather than prompting users/automatically opening ports via install? Maybe we can add some kind of UI that users with Roku can use which will setup Roku and open all the needed ports? Not sure what the current process to setup Roku is but I agree that automatically opening ports for a small subset of users isn't the best route.
> Maybe we can add some kind of UI that users with Roku can use which > will setup Roku and open all the needed ports? Ahh, comment #25 mentions Bug # 1111967 which is addressing the UI portion of the problem.
Flags: firefox-backlog?
I have a Win7 computer on my network where I just saw this bug. This network is "new-ish" (I changed SSID/pass last month), but it's marked on Windows as a "Home network". So it appears the Firewall request popped up asking to allow FF for Public networks, even though I'm connected in a Home network. Also, it popped up at an apparently random moment. It wasn't immediatelly after an update, and it was while FF was running. I don't think any webpage triggered WebRTC or something. Only two tabs were open, one at gmail and one at a newspaper webpage.
This should no longer be an issue for 37 or 38 now that bug 1142521 has landed on both branches.
status-firefox37: affecteddisabled
status-firefox38: affecteddisabled
I'm not convinced this is a bug. You _can_ Cancel the Windows Security Alert and proceed to use Firefox with no apparent limitations. By default, the stateful Windows Firewall allows all outbound connections, and passes inbound connections for which there is a matching outbound request. However, I think the Firefox installer should offer a detailed explanation why it wants to explicitly allow all inbound UDP/TCP traffic to the browser and offer a way to opt-out / decline. We will need options to disable this during deployment in future ESR versions (lockPref / mozilla.cfg?). To the OP: this "bug" is one example why you should deploy ESR versions in enterprise environments. See https://www.mozilla.org/en-US/firefox/organizations/
> ...the Firefox installer should offer a detailed explanation > why it wants to explicitly allow all inbound UDP/TCP traffic to the browser more precisely: "all non-public inbound UDP/TCP traffic"
Looks like this is turned off for 39 as well, from it landing on mozilla-central several weeks ago in bug 1142521. Are users on any Firefox version from 37+ still seeing this behavior? Ronald, are you seeing it and if so, on which version? Gavin, if this is disabled in 37+, should this bug be closed?
status-firefox39: affecteddisabled
status-firefox40: --- → ?
tracking-firefox40: --- → +
Flags: needinfo?(ron)
Flags: needinfo?(gavin.sharp)
> Ronald, are you seeing it and if so, on which version? After installing 36.0.1 several weeks ago, at first run a Windows Security Alert appeared. It stated that Windows Firewall had blocked _some_ features of the program and asked to create firewall exceptions (add rules). Upon canceling the alert, rules/exceptions were created in a disabled state with no apparent problems; basic browsing tasks functioned as expected. A Windows Security Alert no longer appears at first run--tested versions 36.0, 36.0.1 and 37.0.1. The installer now silently creates inbound rules/exceptions in the Private profile.
Flags: needinfo?(ron)
I suppose so.
Status: NEW → RESOLVED
Closed: 10 years ago
Flags: needinfo?(gavin.sharp)
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: