ABE rule help needed

[SwissBIT]

Hello

I hope somebody can help me with this task ...

- ABE blocks a connect(-try) with this message:

Die Anfrage {GET http://192.168.1.36:52199/Gizmo/mode.html <<< http://wr.jriver.com/libraryserver/connect, http://jriver.com/webgizmo.html?key=testkey - 6} wurde durch ABE gefiltert: <LOCAL> Deny

- The URL in browser is:

http://jriver.com/webgizmo.html?key=testkey

... with the "connect-source-code":

<form id="connect" action="http://wr.jriver.com/libraryserver/connect" method="post" onsubmit="storeValues()" >

- How then is the appropriate user-rule?

Many many thanks for help in advance!

Kind regards,

Norbert Schneider
Aka SwissBIT

[GµårÐïåñ]

Try the following:

SITE LOCAL
ACCEPT from 192.168.1.36:52199
DENY

this should take care of it assuming the port remains consistent, if not, then just drop the (:52199) and it should work.

tell us how it goes.

PS. I forgot to mention, put this BEFORE the default SITE LOCAL rule in ABE else it will get blocked still. BUT, leave the original SITE LOCAL in play AFTER this rule to make sure you are still protected against other LOCAL attacks.

[Thrawn]

@Guardian: Won't that cause all other local traffic to be blocked?

Shouldn't it be like this?

Code: Select all

Site LOCAL
Accept from LOCAL
Accept from 192.168.1.36:52199
Deny

[GµårÐïåñ]

Yes, absolutely and of course it can be like that. I just prefer to not touch my failsafe net and add my exceptions separate from it. Its a long developed hacker/programmer/security sense to leave your most restrictive and failsafe rule/code ALONE to execute on its own and add your exceptions before that to ensure you don't accidentally poke holes in something. By keeping them separate you ensure that no matter how badly you mess up the rules, there is at least the failsafe that will be in place. That's all. It depends on the confidence level of the person and for us (you and me) who eat, sleep and code ABE, yeah its a cake walk, but for the less experienced (deduced from the user asking for help) I figured, let's play it safe - barring any typos and so on from breaking everything completely.

[Tom T.]

@Guardian: Won't that cause all other local traffic to be blocked?

ABE FAQ has a number of examples in which Giorgio specifies putting the specific rule *above* the general, especially FAQ 8.3 - 8.9.
They tend to use 127.0.0.1, but I'd think ABE would recognize 192.168.x.x (router or LAN) as a LOCAL address.

Processing starts from the top down, so if a LOCAL request doesn't match the specific rule, ABE continues to look for a match. When it hits
Accept from LOCAL
it gets its match and applies the Accept command.

If I'm mistaken, please correct me.

[GµårÐïåñ]

Oh I didn't even see that from thrawn, thank you Tom. No it will not block all traffic. It simply tells LOCAL which is being triggered by the private LAN Class C address space (also 10.0.0.0/8 and part of the 172. range) that this particular address and more specifically the port on that address is being granted pass from any rules that apply to the LOCAL space. Also, since the rule I provided is to be placed BEFORE the default that we have, it will only open up this address and restrict all else like it should. Hope that helps. Any NAT-ed route from LOCAL IPs to the internet will bypass this ABE rule by default as it should, so no it won't block everything.

[Thrawn]

Well, the proof of the pudding is in the eating...and with Guardian's rule in place (correcting Allow to Accept), I can't browse to my router.

The suggested rules in the ABE FAQ do not specify Site LOCAL (all local requests), nor do they end in a global Deny. The combination of those two means that the only local traffic allowed will be from the one address whitelisted by this rule.

Also, isn't 192.168.1.36:52199 the destination of the blocked requests? In which case, the rule would be something like:

Code: Select all

Site 192.168.1.36:52199
Accept from SELF .jriver.com
Deny

[Thrawn]

Processing starts from the top down, so if a LOCAL request doesn't match the specific rule, ABE continues to look for a match. When it hits
Accept from LOCAL
it gets its match and applies the Accept command.

If I'm mistaken, please correct me.

The trouble is that Guardian's suggested rule ended in a global Deny, meaning that it will match *every* request going to any local address. Requests to LOCAL would not reach the built-in rule at all.

[Tom T.]

Maybe it's better to keep them split, as Giorgio (and I) suggested: Put the specific site first, and note that Giorgio's examples do *not* end in a global deny.
The default SYSTEM rule follows, with the usual global deny. In plain English:

Code: Select all

Site LOCAL
Accept from 192.168.1.36:52199

# Prevent Internet sites from requesting LAN resources.
Site LOCAL
Accept from LOCAL
Deny

This rule allowed me to reach my router without any problems, even though that address above of course isn't the router's address.

[SwissBIT]

Hello

Thank you very much for your suggestions!

Unfurtunately, all the combinations ...

--------------------------------------------------------
Site LOCAL
Accept from 192.168.1.36:52199

# Prevent Internet sites from requesting LAN resources.
Site LOCAL
Accept from LOCAL
Deny
--------------------------------------------------------
Site LOCAL
Accept from 192.168.1.36

# Prevent Internet sites from requesting LAN resources.
Site LOCAL
Accept from LOCAL
Deny
--------------------------------------------------------
Site LOCAL
Accept from 192.168.1.36:52199
Deny

# Prevent Internet sites from requesting LAN resources.
Site LOCAL
Accept from LOCAL
Deny
--------------------------------------------------------
Site LOCAL
Accept from 192.168.1.36
Deny

# Prevent Internet sites from requesting LAN resources.
Site LOCAL
Accept from LOCAL
Deny
--------------------------------------------------------

... are NOT successful. The ABE filter meessage is always the same as reported.

Hmm ...

Greetings!

Norbert Schneider
Aka SwissBIT

[SwissBIT]

Okay,

with integrated rule from Thrawn, it works!
______________________________________________________
Site 192.168.1.36:52199
Accept from SELF .jriver.com
Deny

# Prevent Internet sites from requesting LAN resources.
Site LOCAL
Accept from LOCAL
Deny
______________________________________________________

Is this okay and SAFE so?

Thanks,

Norbert Schneider
Aka SwissBIT

[Thrawn]

Is this okay and SAFE so?

Yes, it's almost certainly safe. It allows jriver - which you presumably trust - to reach one specific port on one machine, which is a non-standard port and probably not used for anything except jriver's own service. Unless your router's administrative interface is listening on that port, you're probably fine .

[SwissBIT]

That's cool, thank you very much, Thrawn!

[GµårÐïåñ]

Sorry for the delay in getting back and yes your current setup courtesy of Thrawn will work just fine, the extra DENY I like to include is ONLY if you have ONE exception to the LOCAL rule, if you have more than one, certainly removing that is necessary as to allow the rest of the rules to be processed. As for the .jriver vs. local address, my bad on that one, I was in a rush and I took a quick look and caught the wrong part of it, thanks for catching that.

[SwissBIT]

@GµårÐïåñ

Don't worry about the "delay", much more I thank you for your help!

Have a nice weekend!

Norbert Schneider
Aka SwissBIT