ABE with local server that replaces block site with image

Discussions about the Application Boundaries Enforcer (ABE) module
skkukuk
Junior Member
Posts: 28
Joined: Sun Dec 12, 2010 5:17 pm

ABE with local server that replaces block site with image

Post by skkukuk » Wed Feb 12, 2014 7:06 pm

I am using a local server that serves up a dummy image whenever the hosts file redirects a site to 127.0.0.1 so that when content is blocked, you can see the dummy image in the browser to let you know something was blocked.

The problem I am having is that with ABE enabled, ABE sees the request as a LOCAL request from an non-local site, and rejects the request by the default SYSTEM rule:

[ABE] <LOCAL> Deny on {GET http://blockedsite.com/ <<< http://www.requestingsite.com/whatever.html - 6}
SYSTEM rule:
Site LOCAL
Accept from LOCAL
Deny

This prevents the dummy image from being displayed on pages, and worse - if you clink on a link to blocked content, nothing happens at all (it should take you the blocked content image).

I know I can't write a USER rule to get around this, but would adding the following SYSTEM rule before the default LOCAL rule hurt anything, or open me up to anything?

Site 127.0.0.1
Accept GET
Deny

It fixes the problem by allowing the requests to 127.0.0.1 to display the blocked content dummy image, but I am concerned I might be missing something.

Thanks!
Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Firefox/24.0

User avatar
Thrawn
Senior Member
Posts: 3106
Joined: Mon Jan 16, 2012 3:46 am
Location: Australia
Contact:

Re: ABE with local server that replaces block site with imag

Post by Thrawn » Wed Feb 12, 2014 10:29 pm

It should be safe enough, and good work figuring out how and where to add the exception :).

If you want to tighten it a bit further, you could replace 'GET' with 'INCLUSION', to ensure that this only applies to attempts to load resources, not eg redirections. No big deal if your local server is just serving a dummy image for all requests, though. You could even make it 'INCLUSION(IMAGE)', but then you wouldn't get a placeholder for scripts, CSS, frames, etc - up to you. If you're curious, then the ABE rules document, section 1.2, describes the allowed methods.
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.

True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:27.0) Gecko/20100101 Firefox/27.0

skkukuk
Junior Member
Posts: 28
Joined: Sun Dec 12, 2010 5:17 pm

Re: ABE with local server that replaces block site with imag

Post by skkukuk » Fri Feb 14, 2014 10:13 pm

Thanks for the reply.

I tried your suggestion and now have:

Code: Select all

Site 127.0.0.1
Accept INCLUSION(IMAGE)
Deny

With this SYSTEM rule, any page with an image from a blocked site still gets the dummy image (instead of the blocked image). If I click on a link to a blocked site, or just type it in to the address bar, I get the standard ABE blocked message (yellow popup line at the top of the window), instead of being taken to a new page with just the dummy image.

Your method of using INCLUSION allows less possibility of exposure than using GET, and still solves the problem where clicking on a link to a blocked site didn't do anything. I am not sure why this rule blocking the link yields the standard ABE popup error message, where the default Site LOCAL rule doesn't - but I guess that doesn't really matter to me.

Thanks again for the feedback!
Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Firefox/24.0

Post Reply