We're calling on all EU-based Mozillians with iOS or iPadOS devices to help us monitor Apple’s new browser choice screens. Join the effort to hold Big Tech to account!

Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

Firefox is hitting my firewall on port 80. What is trying to access the gateway/firewall?

  • 10 replies
  • 4 have this problem
  • 29 views
  • Last reply by nutx

more options

Linux firewall. When I start firefox, I get loc2fw reject logs on port 80. Is this normal behavior? Normally this would be associated with a virus attempting to access a standard router. After a clean system install I still get these hits on my firewall. I did use mozbackup to copy some setting over from another machine.

Linux firewall. When I start firefox, I get loc2fw reject logs on port 80. Is this normal behavior? Normally this would be associated with a virus attempting to access a standard router. After a clean system install I still get these hits on my firewall. I did use mozbackup to copy some setting over from another machine.

Chosen solution

Final note: This MozillaZine Post indicates that noscript uses secure.informaction.com to determine the WAN IP address, and that behavior can be disabled.

Read this answer in context 👍 0

All Replies (10)

more options

port 80 is just the standrad http port - so i suppose this is to be expected whenever you browse the web

more options

Not unless the browser is attempting to access my IP address on port 80, or attempting to access the router itself. All other http traffic is directed to the internet, and has no affect on the router itself. This only occurs on starting Firefox, or periodically if firefox is running. So it is not expected. There are trojans that attempt to access a routers web page configuration.

more options
more options

Your firewall is dropping a SYN packet or is forbidding an HTTP request? If you refuse to make a connection at all, you might never gather enough information to identify the intent of the communication.

more options

Thanks for the link. I have been trying to disable various things, but the issue does not happen regularly, so it will take some time. I will continue testing. Thanks for the link. I'm now monitoring with wireshark. Clearly the browser is sending a connection request to my internet IP address on port 80 and the firewall is rejecting it. Interesting that it is sending to the external IP and not the Gateway/router IP.

more options

Thanks for the suggestion of dropped SYN requests, which prompted me to setup a wireshark monitoring. It is definitely not a dropped SYN packet, rather the browser is sending a connection request to my external IP address on port 80 and the firewall is rejecting it with RST, ACK.

The first time it occurs is after a connection to secure.informaction.com. At the end of that conversation I receive "Encrypted Alert" sent to my browser (certificate problem?), followed by a disconnect from secure.informaction.com, then Firefox attempts to access my external IP on port 80 several times. Why my external IP? I'm not sure what Firefox is attempting to do.

more options

I have NoScript running. Disabling NoScript eliminates the problem. Seems it is accessing secure.informaction.com and having a problem. Still not exactly sure what is happening.

more options

I think the first packet in a TCP connection request is a SYN packet, so if you're sending RST immediately after getting that packet, you will never get to log the HTTP request that would be sent after the connection is set up, which would be useful to get. Perhaps a browser proxy such as Fiddler would allow you to capture that?

I associate the Informaction name with the author of the NoScript and FlashGot extensions. If you disable those extensions and restart Firefox, do you get the same connection attempt?

Edit: Our posts crossed, so you can ignore the second paragraph.

Modified by jscher2000 - Support Volunteer

more options

Chosen Solution

Final note: This MozillaZine Post indicates that noscript uses secure.informaction.com to determine the WAN IP address, and that behavior can be disabled.

more options

Thanks for your respones, and yes, the SYN packet is a request to connect, and the RST/ACK (reject) is the correct response from my router to a connect request (loc2fw) on port 80.

I initially investigated this problem because there might be some malicious software that attempts to access the config page on the router and redirect traffic. I'm assuming that the ABE feature of NoScript is checking the boundary?