Team LiB
Previous Section Next Section

Hack 16. Fine-Tune Ports and Sockets

You can configure Firefox network access down to the last detail if you want.

This hack explains how to chop off pieces of network access at the backend of the Firefox browser. This is done with preferences. Doing so provides strong protection against malicious web attacks, but it offers only weak security against user tampering. That's because, in the normal case, users can undo network-access changes via the about:config system. There is a way to serve these preferences up more securely using a server [Hack #29] . You can also configure proxy arrangements [Hack #15] .

2.7.1. Disallow Ports

Firefox ports are allowed or disallowed using a multi-tiered system. In highest to lowest priority, these are the rules:

  1. Always allow any port that Firefox absolutely must have to get its job done. The primary example is access to DNS via port 53.

  2. Always allow some ports for their standard uses. Here's the current list:

    389, 636 (LDAP), 70 (gopher), 21, 22 (FTP), 79 (finger), 13 (datetime)

  3. Allow all ports specified in Firefox's override list (a whitelist). You can indicate these ports by setting the following preference to a string containing a comma-separated list of port numbers that should be allowed (do not use spaces): /* unset by default */

  4. Disallow all ports specified in Firefox's blacklist. You can indicate these ports by setting the following preference to a string containing a comma-separated list of port numbers that should not be allowed (do not use spaces):       /* unset by default */

  5. Allow any port not covered by the other rules.

2.7.2. Set Socket Limits

You can fine-tune the performance and use of sockets, but only for specific protocols. There are many configuration options for HTTP, just one option for FTP, and none for other protocols. For FTP, tweak the following preference for a slow connection, for a heavily loaded server, or for ancient-style point-to-point UUX networks running over serial connections:

network.ftp.idleConnectionTimeout   /* 300 (secs) = default */

For HTTP, you can control the type, number, and aging behavior of the underlying sockets. You can also control which kind of sockets are used by default.

Here's the preference for secure sockets:

network.http.default-socket-type  /* "socks", "socks4", "ssl", "starttls" */

The default of nothing specifies ordinary, insecure PF_INET, SOCK_STREAM sockets. That's the sensible value; use socks only if you're on a VPN and don't want your HTTP requests to be visible. The checkboxes in the Advanced panel of the Option dialog box just enable or disable these protocol alternatives; they don't change the default.

Here's the preference for specifying the number of sockets. You can set several hard maximums. To set the limit for the Firefox client, use this preference:

network.http.max-connections              /* 24 = default */

To set the limit for each server the client connects to, use this preference:

network.http.max-connections-per-server   /* 8 = default */

That prevents the browser from flooding any particular server with connection requests.

A difficulty for web browsers and other programs that use short-lived TCP/IP connections is that TCP/IP v4 (the common version) is optimized to perform best for connections requiring high data volumes. That's not typical behavior for an HTTP request. The TCP/IP v4 startup phase for a connection, during which the data volume requirements are unknown, is always slow. It's best, therefore, to keep a socket connection open and reuse it to avoid this overhead. These preferences ensure sockets hang around for a while after the browser has finished its first use of them:

network.http.keep-alive                   /* true = default */
network.http.keep-alive.timeout           /* 300 (secs) = default */
network.http.proxy.keepalive              /* true = default */

If sockets can be kept open, then a browser can take up many socket end-points that a web server has to offer and keep them. That's a denial-of-service attack on a web server, something that no friendly web browser should do. These preferences set high-water limits on how many reusable sockets are allowed, per server:

network.http.max-persistent-connections-per-proxy  /* 2 = default */
network.http.max-persistent-connections-per-server /* 4 = default */

Finally, this preference does nothing, so ignore it:

network.http.connect.timeout           /* socket startup time */

    Team LiB
    Previous Section Next Section