How to add ABE exception for LOCAL?

Post a reply

Smilies
:D :) ;) :( :o :shock: :? 8-) :lol: :x :P :oops: :cry: :evil: :twisted: :roll: :!: :?: :idea: :arrow: :| :mrgreen: :geek: :ugeek:

BBCode is ON
[img] is ON
[url] is ON
Smilies are ON

Topic review
   

Expand view Topic review: How to add ABE exception for LOCAL?

Re: How to add ABE exception for LOCAL?

by barbaz » Tue Dec 12, 2017 3:15 pm

Re: How to add ABE exception for LOCAL?

by bafio » Tue Dec 12, 2017 1:57 pm

https://imgur.com/a/cIxcV

I have tried adding the following rules in SYSTEM

Code: Select all

Site controller.access.network/101/portal/
Accept from SELF+
# Prevent Internet sites from requesting LAN resources.
Site LOCAL
Accept from LOCAL
Deny
It's not working.

Re: How to add ABE exception for LOCAL?

by barbaz » Thu Jan 05, 2017 5:36 pm

@Pow_2k: That is a NoScript bug and a different issue. viewtopic.php?f=10&t=22314

Re: How to add ABE exception for LOCAL?

by Pow_2k » Thu Jan 05, 2017 2:10 pm

barbaz wrote: Does that help?
Barbaz, I went and created an account just so I could reply and say yes, this helps immensely. (Also, thanks to those had provided earlier clues but barbaz provided a concise solution AND explained why it gets entered that way.) I had been in situations similar to xheralt's previously and couldn't figure it out, so disabling ABE temporarily to get past the issue was the solution I used. Suddenly this week I've run into ABE blocking when trying to access a resource in my corporate LAN.

Code: Select all

[ABE] < LOCAL> Deny on {GET http://somehost:8410/ui <<< http://somehost:8410/, moz-nullprincipal:{b22da868-f242-41c9-b93d-007297b56933} - 6}
SYSTEM rule:
Site LOCAL
Accept from LOCAL
Deny
Since this is all dealing with a single host I don't understand why ABE is denying it. But, at least I now know how to add an exception rule for this single host and still have protection elsewhere. Now to make this the top hit in web searches for "abe local deny"...

Re: How to add ABE exception for LOCAL?

by barbaz » Sat Oct 08, 2016 9:47 pm

xheralt wrote:My www access is sporadic and depends on public wifi, which is why it's taken me this long to respond.

There was another go-round before that; the thread was either locked or deleted.
Ah, thanks. Yeah, that must be it, one Mod used to delete "go-round" type threads here. He's no longer forum staff and we don't delete such threads anymore.
xheralt wrote:So you've saved me from having to ask "what next"? :)
I just remembered, I might be able to save you something else too. I actually happen to have an exception in my own SYSTEM ruleset for the same type of access point as you encountered in the other thread. Maybe having that in full could help in this case.

Here is my entire SYSTEM ruleset (WiFi access point name obscured) -

Code: Select all

# ******* WiFi haxx
Site .nnu.com
Accept

# Prevent Internet sites from requesting LAN resources.
Site LOCAL
Accept from LOCAL
Deny
How did I figure out what to put in? Well, all public WiFi access point exceptions work the same way:
1) Check the Browser Console (Ctrl-Shift-J) for message like this - https://noscript.net/abe/users.html
2) Plug in the blocked sites (site1.com site2.com site3.com) at the very top of the SYSTEM ruleset, in this form

Code: Select all

Site .site1.com .site2.com .site3.com
Accept
Or if IP addresses, skip the leading dot:

Code: Select all

Site 10.0.0.1 1.1.1.1
Accept
3) You're done. Enjoy the Internet.

Still seem "guru-y" to you? Let's de-mystify it then.

So, you're looking at the console message. See where it says MATCHING_SITE and ORIGIN1[, ORIGIN2, ...], ORIGINAL_ORIGIN in Giorgio's example? Those will be the sites that you pull out of the console message for the exception. If you see any of those beginning with chrome:, ignore that one, it will be automatically taken care of.

Then, the next trick is to make sure to combine *all* matching domains on the *same* Site line. For my access point, it was a couple different subdomains of nnu.com, which made that easy (note the leading dot in the ruleset). In your case here, perhaps just 10.0.0.1? Each different site is separated by a single whitespace.

Finally, as said, these public Wi-Fi access point exceptions are always the same template as how I did it above. So just plug in your site(s) and you should be good. If that doesn't cut it, try again because you may have another site to add to your Site line. Once it works, you're done.

There, that cuts through all the guru-y stuff a bit, doesn't it? Now just plug in your sites and enjoy your WiFi. :)

Does that help?

Re: How to add ABE exception for LOCAL?

by xheralt » Sat Oct 08, 2016 8:21 pm

barbaz wrote:
xheralt wrote:Okay, I had this issue some years ago, and received a very unsatisfactory response from the forum, which I will paraphrase as "Oh, you just write an exception for it the same way you would for any firewall rule...".
xheralt, your only other posts on this forum that were replied to are in viewtopic.php?f=23&t=2115. Tell me, which response from that thread are you paraphrasing?
My www access is sporadic and depends on public wifi, which is why it's taken me this long to respond.

There was another go-round before that; the thread was either locked or deleted. With forum search being (semi)broken, I wasn't able to locate the thread you cited, thank you for locating it. As I recall, I ended up not going to that particular coffee shop, so I never needed to even try implementing the suggested solution. Until the circumstance recurred now at a different place. I'll try that. In the meantime, I tried this:

Code: Select all

# Prevent Internet sites from requesting LAN resources.
Accept from http://10.0.0.1
Site LOCAL
Accept from LOCAL
Deny
Which results in the error: line 2:0 missing EOF at 'Accept'. So you've saved me from having to ask "what next"? :)

Re: How to add ABE exception for LOCAL?

by barbaz » Sat Oct 01, 2016 3:13 am

xheralt wrote:Okay, I had this issue some years ago, and received a very unsatisfactory response from the forum, which I will paraphrase as "Oh, you just write an exception for it the same way you would for any firewall rule...".
xheralt, your only other posts on this forum that were replied to are in viewtopic.php?f=23&t=2115. Tell me, which response from that thread are you paraphrasing?

Re: How to add ABE exception for LOCAL?

by xheralt » Sat Oct 01, 2016 1:33 am

Okay, I had this issue some years ago, and received a very unsatisfactory response from the forum, which I will paraphrase as "Oh, you just write an exception for it the same way you would for any firewall rule...". The point of course is that I don't write firewall rules for a living, nor for fun, and I shouldn't have to be that level of guru simply to use a product, even a FREE (as in beer) product.

After that response, you understand, I just said "fsck this sh*t" and have been routinely disabling ABE since. In the growing sophistication of cyberattacks, this was never entirely wise, and becoming less so as time passes.

The above response in this thread "You have to know what site is being rejected, and what error message is being generated" brought this sort of "helpfulness" to mind. The first part is, the user KNOWS what site is being rejected, even if not stated, and can plug that into a properly-presented example, e.g. in the form of "ALLOW %your_site_here%".

The second part of that statement is also BS. I find it hard to believe a self-styled (or actual) NoScript guru wouldn't know what a standard ABE "%wifi_hosting_site_%/?redir=%your_home_page% blocked by rule <LOCAL> DENY" error message looks like. Because it IS the very standard response. How does repeating back this fairly obvious notification change anything about how to solve it? Because ABE is acting precisely as designed, if not as desired. Demanding (and getting) specifics is not strictly necessary to the solution, and just adds an additional exchange of forum comments.

TL;DR - Here's my situation (one I'm sure shared by or similar to others): Public WiFi for a local coffee-shop chain originates from a page at 10.0.0.1:8000 (a private net common to the various location within the city) that has a standard "Click to accept our terms of usage" page when one first connects. The sort of thing where Windows tells you "Action required to connect. Open Browser now?"

The URL being DENIED therefore looks like this: http://10.0.0.1:8000/index.php?redirurl ... e_site.net. Other locations of the chain use different port#'s (8001, 8010, etc.).

So, I'm giving solving this a second try. This seem to crop up often enough, maybe it should be in the FAQ? "ABE is preventing me from accessing Public WiFi" would be an eye-catching title.

Given how friggin' context-sensitive firewall rules are (or seem to be), it is EQUALLY important to tell a novice (like me) WHERE EXACTLY to PUT said statement. It is only through indirect context in this thread (not specific instruction) that I've now learned that one has to put such exception BEFORE the initial "ALLOW" in System Rules!

I'm going to have to wait an hour before my current session expires (said coffeeshop grants its free access in one-hour blocks) to test the next attempt to write an exception.

Re: How to add ABE exception for LOCAL?

by johnscript » Sun Mar 06, 2016 8:55 am

-100, for that matter.

Re: How to add ABE exception for LOCAL?

by barbaz » Sat Feb 06, 2016 10:21 pm

Lucas Malor wrote:Maybe ABE could use WebRTC to know local IP address:
Image

Not only does NoScript not need a user's local IP address for anything, like yes_noscript said many NS users will have WebRTC disabled (if they have WebRTC at all) especially given its security history. Requiring WebRTC in NoScript, especially for dubious reasons, would be outright hypocrisy.
-1

Re: How to add ABE exception for LOCAL?

by yes_noscript » Sat Feb 06, 2016 9:33 pm

No, i'm against that idea-
WebRTC is a realy bad thing!

And i'm happy Pale Moon didn't include this crap. So i hope this didn't get implement in NoScript.

Re: How to add ABE exception for LOCAL?

by Lucas Malor » Sat Feb 06, 2016 8:29 pm

Thank you for explaination. So it could be a bug. I recall that no GUI alert was displayed.

Maybe ABE could use WebRTC to know local IP address:
http://stackoverflow.com/a/26850789/1763602

Re: How to add ABE exception for LOCAL?

by barbaz » Fri Feb 05, 2016 11:39 pm

Because some LOCAL subnets may not actually contain any local IPs (specifics will vary between users/networks). For example, you use the 172.27.102.* subnet; assuming that 172.27.* is the only private IP range you use, IPs in the 192.168.10.* subnet are not local for you despite that being a LOCAL subnet.

Re: How to add ABE exception for LOCAL?

by Lucas Malor » Fri Feb 05, 2016 10:23 pm

So why he writes about "subnets" and not "IPs"?

Re: How to add ABE exception for LOCAL?

by barbaz » Fri Feb 05, 2016 9:21 pm

It says that LOCAL "matches *all* the LAN subnets (possibly configurable) and localhost" (emphasis mine). NoScript doesn't need to know which specific subnet you are on in order to do that.

Top