ABE blocks IPv6 address during Admin login

Discussions about the Application Boundaries Enforcer (ABE) module
Allen C

ABE blocks IPv6 address during Admin login

Post by Allen C »

I am running a dual protocol IPv4 / IPv6 local network At the moment there is no IPv6 connection to the outside world.

A local DNS server resolves <hostname> to a correct IP4 and/or IP6 address.

Connecting to a normal website / wiki is fine with either IPv4 or 6; Logging in to the firewall as administrator is also OK using either protocol.

However, when I try to log in to a Synology NAS unit (the url typed in is "fileserver:5000"), with an IP4 address it works perfectly, but when I use a IP6 address I see the error:- filtered by ABE <LOCAL> Deny

I am running Firefox 25.0 and Noscript Ver 2.6.8.40 on a Mint 12 system the most recent versions my PC will support :-(

There doesn't seem to be a method of whitelisting an IPv6 subnet... Any ideas?

Allen C
Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:25.0) Gecko/20100101 Firefox/25.0
User avatar
Giorgio Maone
Site Admin
Posts: 9454
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: ABE blocks IPv6 address during Admin login

Post by Giorgio Maone »

May I look at any [ABE] message you can find in your Browser Console (Ctrl+Shift+J)?
Mozilla/5.0 (Windows NT 6.3; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0
Allen C

Re: ABE blocks IPv6 address during Admin login

Post by Allen C »

Giorgio Maone wrote:May I look at any [ABE] message you can find in your Browser Console (Ctrl+Shift+J)?
Many for thanks your prompt reply

[15:10:00.634] [ABE] <LOCAL> Deny on {GET http://fileserver:5000/webman/index.cgi <<< http://fileserver:5000/, chrome://browser/content/browser.xul - 6}
SYSTEM rule:
Site LOCAL
Accept from LOCAL
Deny
[15:10:00.657] TypeError: this.proxs.resolve is not a function @ chrome://dndetails/content/dndetails.js:280


In reality this is something I can live with; it is easy enough to force an IPv4 address - but I thought it might help others if there is a general solution.

Allen C
Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:25.0) Gecko/20100101 Firefox/25.0
User avatar
Giorgio Maone
Site Admin
Posts: 9454
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: ABE blocks IPv6 address during Admin login

Post by Giorgio Maone »

It looks like a bug I'm investigating (this load shouldn't trigger because it's initiated from the browser UI).

Anyway you can work around it by inserting the following code in the very beginning of the SYSTEM ruleset:

Code: Select all

Site LOCAL
Accept from ^http://fileserver:5000/
Mozilla/5.0 (Windows NT 6.3; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0
Allen C

Re: ABE blocks IPv6 address during Admin login

Post by Allen C »

Many thanks - your fix works a treat.

FYI I am using a "Unique Local" address prefix - fd74:f320:7637:e574::/64
Unique-local addresses have the advantage over site-local in that they can be routed, or even tunneled to another site. There are no consequences if they leak onto the worldwide internet.

The prefix was randomly generated, as recommended by the RFI's. Simpledns.com have a web page which generates such prefixes. I am sorely tempted, though, to use prefix that I can actually remember, based on my date of birth, perhaps :-)

Once again, thanks for your help

Allen C
Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:25.0) Gecko/20100101 Firefox/25.0
Post Reply