That's exactly the misconception I've pointed out: Your firewall does not protect you, as the connection is not established by the remote attacker, but by your Web browser. This should work with any browser that has Flash installed. It does not work without Flash (e.g., with Javascript), as Javascript applies the same-origin policy to the request, instead of the response.