ABE blocks local dev enviroment

Discussions about the Application Boundaries Enforcer (ABE) module
func0der

ABE blocks local dev enviroment

Post by func0der » Mon Jan 20, 2014 3:48 pm

Hey guys,

I am having a little problem here with ABE.

My local apache configuration creates different virtual host which are all routed to 127.0.0.1 via host file.

Let's take this one for example: mastery.local

Pretty much all the time the site is working without any problems and ABE enabled.
Then after some while, maybe after changing the WLAN, which should not affect the configuration at all, because it stays the same, all the css and javascript files of the site are blocked.

I tried to enable and disabled modules in Firefox and came to the conclusion that NoScript is the problem here.
I tried to tweak the settings of NoScript to make the site work properly again and then found out that if I deactivate ABE completly there is not problem anymore.

Since I do not want to disable ABE completly, I tried to make a special config for mastery.local which looked like this:

Site mastery.local
Accept ALL from LOCAL

I inserted it But..it did not work.

What am I doing wrong?
I can not figure that one out.

I hope you can help me.

Kind regards
func0der
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:26.0) Gecko/20100101 Firefox/26.0

User avatar
Giorgio Maone
Site Admin
Posts: 8790
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: ABE blocks local dev enviroment

Post by Giorgio Maone » Mon Jan 20, 2014 4:23 pm

Just put the following rule at the very beginning of the SYSTEM ruleset:

Code: Select all

Site mastery.local
Accept
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0

func0der

Re: ABE blocks local dev enviroment

Post by func0der » Mon Jan 20, 2014 9:57 pm

Thanks for your answer.

So what you are saying is, that I can not overwrite the "system" set with the "user" set?
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0

User avatar
Thrawn
Senior Member
Posts: 3106
Joined: Mon Jan 16, 2012 3:46 am
Location: Australia
Contact:

Re: ABE blocks local dev enviroment

Post by Thrawn » Mon Jan 20, 2014 10:33 pm

func0der wrote:So what you are saying is, that I can not overwrite the "system" set with the "user" set?

That's correct - and that is the reason for having separate rulesets. You can write whatever rules you want in the USER ruleset without affecting SYSTEM. Requests will be passed through each ruleset, and if any ruleset blocks them, then they are blocked.
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.

True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:26.0) Gecko/20100101 Firefox/26.0

func0der

Re: ABE blocks local dev enviroment

Post by func0der » Tue Jan 21, 2014 11:33 am

So to summarize things:
You can not UNBLOCK things, that have been blocked before by a global rule.
By global rules I mean rules using placeholders like LOCAL.

You have to unblock them before you are using a global rule. The global url will then apply to every url EXCEPT the ones excluded before by a special rule.
This means as a basic rule you can say: From Special to global.

Maybe I overread that information in the documentation?


Either way, this seems kind of a bug to me. I now think, that the changing of the wifi has caused all this.
I found that little checkbox in ABE which is called "WAN-IP (...) equals LOCAL".
I do not know how that is exactly handled by Firefox and NoScript, but here are my thoughts.

Following situation:

Wifi 1 -> IP 1 (initial IP)
Wifi 2 -> IP 2

The initial IP gets cached by Firefox and NoIP. That means that IP 1 is used in ABE as the WAN IP.
If I change to Wifi 2 and get IP 2 Firefox still works for some seconds. After a full reload (without caching) the css and js is gone.
Firefox has recognized the new IP, but NoScript has not.

The WAN IP in the ABE settings does not change until I uncheck the box, close the settings dialog, reopen and recheck the box again and close it again.
But even after that the css and js does not load again.
Seems like the ruleset is not refreshed.

Strange behaviour, isn't it.

func0der
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:26.0) Gecko/20100101 Firefox/26.0

User avatar
Thrawn
Senior Member
Posts: 3106
Joined: Mon Jan 16, 2012 3:46 am
Location: Australia
Contact:

Re: ABE blocks local dev enviroment

Post by Thrawn » Tue Jan 21, 2014 10:34 pm

func0der wrote:So to summarize things:
You can not UNBLOCK things, that have been blocked before by a global rule.


It works like this: a request is tested against each rule in the SYSTEM ruleset until one matches. Then the rule action (Anonymize, Deny, etc) is applied. Then, if the action was not Deny, it is tested against each rule in the USER ruleset until one matches, and that action is applied.

So, if a request reaches the built-in rule, it gets denied and it's game over. You need to put a rule above that one to match the request and allow it. Or perhaps Anonymize it, if it's just pulling styles and JavaScript.

The initial IP gets cached by Firefox and NoIP. That means that IP 1 is used in ABE as the WAN IP.
If I change to Wifi 2 and get IP 2 Firefox still works for some seconds. After a full reload (without caching) the css and js is gone.
Firefox has recognized the new IP, but NoScript has not.

Any messages from ABE in the Browser Console (Ctrl+Shift+J) when this occurs?
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.

True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:26.0) Gecko/20100101 Firefox/26.0

func0der

Re: ABE blocks local dev enviroment

Post by func0der » Thu Jan 23, 2014 8:37 am

Console says:

Code: Select all

[ABE] <LOCAL> Deny on {GET http://mastery.local/node/186573/edit <<< http://mastery.local/gallon-of-rum - 6}
SYSTEM rule:
Site LOCAL
Accept from LOCAL
Deny
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:26.0) Gecko/20100101 Firefox/26.0

User avatar
Giorgio Maone
Site Admin
Posts: 8790
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: ABE blocks local dev enviroment

Post by Giorgio Maone » Thu Jan 23, 2014 9:26 am

func0der wrote:Console says:

Code: Select all

[ABE] <LOCAL> Deny on {GET http://mastery.local/node/186573/edit <<< http://mastery.local/gallon-of-rum - 6}
SYSTEM rule:
Site LOCAL
Accept from LOCAL
Deny

This means that at the time of the request, Firefox has already DNS-resolved "mastery.local" at least to one LAN and one WAN (external) IP, and therefore "thinks" you're subject to a DNS-pinning attack.
In order to work around, you just need to insert

Code: Select all

Site master.local
Accept

in the very beginning of the SYSTEM ruleset.
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0

func0der

Re: ABE blocks local dev enviroment

Post by func0der » Thu Jan 23, 2014 2:47 pm

How should that be possible, if in my /etc/hosts it say:

Code: Select all

127.0.0.1        mastery.local


How would mastery.local become an external ressource for firefox?
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:26.0) Gecko/20100101 Firefox/26.0

User avatar
Giorgio Maone
Site Admin
Posts: 8790
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: ABE blocks local dev enviroment

Post by Giorgio Maone » Thu Jan 23, 2014 3:28 pm

func0der wrote:How should that be possible, if in my /etc/hosts it say:

Code: Select all

127.0.0.1        mastery.local


How would mastery.local become an external ressource for firefox?

What does your DNS say?
Could you use dig or a similar utility to discover it?
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0

func0der

Re: ABE blocks local dev enviroment

Post by func0der » Fri Jan 24, 2014 10:26 am

My similar utility was "ping". Hope this is okay?

In both wlans I get the correct resolution to 127.0.0.1.
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:26.0) Gecko/20100101 Firefox/26.0

User avatar
Giorgio Maone
Site Admin
Posts: 8790
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: ABE blocks local dev enviroment

Post by Giorgio Maone » Fri Jan 24, 2014 10:48 am

func0der wrote:My similar utility was "ping". Hope this is okay?

In both wlans I get the correct resolution to 127.0.0.1.

A name can resolve to multiple IPs, and this looks to be the case. You can't find about multiple IPs by using ping, you need either nslookup or dig.
Otherwise you can try running the following line in Firefox's Browser Console (ctrl+shift.J):

Code: Select all

noscriptOverlay.ns._e(function() DNS).resolve("mastery.local", 0, function(r) alert(r && r.toSource()))
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0

func0der

Re: ABE blocks local dev enviroment

Post by func0der » Fri Jan 24, 2014 12:04 pm

I flushed the DNS cache after changing the WLAN and before running the commands.
I used "DNS Flusher 3.0.1" (http://www.coders.com.br/dns-flusher).

Wlan 1:
({ts:1390564779064, entries:["127.0.0.1", "fe80::225:4bff:fe03:ffde"], expireTime:1390564839064, refreshing:true})

Wlan 2:
({ts:1390564591881, entries:["127.0.0.1", "fe80::225:4bff:fe03:ffde"], expireTime:1390564651881, refreshing:true})
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:26.0) Gecko/20100101 Firefox/26.0

User avatar
Giorgio Maone
Site Admin
Posts: 8790
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: ABE blocks local dev enviroment

Post by Giorgio Maone » Fri Jan 24, 2014 1:18 pm

May I look at your /etc/hosts file?
Could you add it a

Code: Select all

::1 mastery.local

line?
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0

func0der

Re: ABE blocks local dev enviroment

Post by func0der » Fri Jan 24, 2014 3:19 pm

Added it.

Here is my /etc/hosts

Code: Select all

##
# Host Database
#
# localhost is used to configure the loopback interface
# when the system is booting.  Do not change this entry.
##
127.0.0.1       localhost
255.255.255.255 broadcasthost
::1             localhost
fe80::1%lo0     localhost

::1             mastery.local

127.0.0.1       mastery.local  # MAMP PRO - Do NOT remove this entry!
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:26.0) Gecko/20100101 Firefox/26.0

Post Reply