Protect Router Access by ABE??

[ReporterX]

1. I have to whitelist it to access the router interface, which is 192.168.1.1
But do I need to protect it?
Or has it covered in ruleset SYSTEM already?

2. If not, are those ABE rules below good to protect me?
Should I put the rulesets under SYSTEM or USER?
What are the differences or points to have SYSTEM and USER?

Site 192.168.1.1
Accept from LOCAL
Deny

Thanks a lot.

[barbaz]

Your router should already be covered by the existing SYSTEM rule.

For the differences between SYSTEM and USER, see viewtopic.php?f=10&t=20042
(it's the same explanation as I give there)

[ReporterX]

Your router should already be covered by the existing SYSTEM rule.

For the differences between SYSTEM and USER, see viewtopic.php?f=10&t=20042
(it's the same explanation as I give there)

So SYSTEM is just a ruleset container which is the same as USER.
"SYSTEM" container does not have any special privileges.
And each ruleset will process independently in each container.
Do I get it right?

each ruleset gets processed until a match is found (then processing *that* ruleset stops)

Hmm I once did testing with the following rulesets:

Code: Select all

Site .informaction.com
Accept INCLUSION(IMAGE) from .informaction.com #Rule 1
Accept INCLUSION(CSS) from .informaction.com #Rule 2
Deny INCLUSION

If I get it right, the processing should stop once it matches Rule 1, and the forum will break.
But in fact both rules get processed.
Same as Deny, all rules are processed.

So does the "match and stop" only apply to Sandbox / Anonymize only?

Thanks a lot.

[barbaz]

So SYSTEM is just a ruleset container which is the same as USER.
"SYSTEM" container does not have any special privileges.
And each ruleset will process independently in each container.
Do I get it right?

Basically. Each "rule container" is processed independently, but processing of any individual container stops as soon as a matching rule is hit for the request.
Not quite sure if that's what you were trying to say or not.

Hmm I once did testing with the following rulesets:

Code: Select all

Site .informaction.com
Accept INCLUSION(IMAGE) from .informaction.com #Rule 1
Accept INCLUSION(CSS) from .informaction.com #Rule 2
Deny INCLUSION

If I get it right, the processing should stop once it matches Rule 1, and the forum will break.

You've blocked all INCLUSIONs that aren't images or CSS. So anything that's not a top-level load should be blocked unless it's an image or stylesheet.
Since your rule does not affect anything that's not an INCLUSION, let's take only the INCLUSIONs into account for the moment. Processing of *image* requests will stop at Rule #1, and get allowed by that ruleset. Likewise, processing of stylesheet requests (which are totally separate from the image requests, since we're not dealing with data URIs) will stop at Rule #2, and be allowed by that ruleset. Any other request (again, to ABE, each request is totally separate from others) will hit the Deny and not show up.


Also, don't put comments on the same line as rules (I've had bad experience with that), and it's better (but not strictly needed) to combine the two Accept lines into

Code: Select all

Accept INCLUSION(IMAGE, CSS) from .informaction.com

[ReporterX]

So SYSTEM is just a ruleset container which is the same as USER.
"SYSTEM" container does not have any special privileges.
And each ruleset will process independently in each container.
Do I get it right?

Basically. Each "rule container" is processed independently, but processing of any individual container stops as soon as a matching rule is hit for the request.
Not quite sure if that's what you were trying to say or not.

What I want to confirm is whether the rule container called SYSTEM has any special privilege, or it is just a normal rule container which is named "SYSTEM" only.
For example System account in Windows clearly has more privileges than User account. It is not just a difference in name only.

Hmm I once did testing with the following rulesets:

Code: Select all

Site .informaction.com
Accept INCLUSION(IMAGE) from .informaction.com #Rule 1
Accept INCLUSION(CSS) from .informaction.com #Rule 2
Deny INCLUSION

If I get it right, the processing should stop once it matches Rule 1, and the forum will break.

You've blocked all INCLUSIONs that aren't images or CSS. So anything that's not a top-level load should be blocked unless it's an image or stylesheet.
Since your rule does not affect anything that's not an INCLUSION, let's take only the INCLUSIONs into account for the moment. Processing of *image* requests will stop at Rule #1, and get allowed by that ruleset. Likewise, processing of stylesheet requests (which are totally separate from the image requests, since we're not dealing with data URIs) will stop at Rule #2, and be allowed by that ruleset. Any other request (again, to ABE, each request is totally separate from others) will hit the Deny and not show up.

Oh I see. I thought the "match and stop" depended on the order of the rules.

Also, don't put comments on the same line as rules (I've had bad experience with that)

What bad experience?

and it's better (but not strictly needed) to combine the two Accept lines into

Code: Select all

Accept INCLUSION(IMAGE, CSS) from .informaction.com

Yup! It is just a dumb test to see if both Accept rules can be processed properly.

[barbaz]

it is just a normal rule container which is named "SYSTEM" only.

That.
The only way in which it's "special" is that if you don't modify it, and if Giorgio changes its default value in a NoScript update, you would get those changes. But that hasn't yet happened in the 2 & 1/2 or so years I've used NS.

Oh I see. I thought the "match and stop" depended on the order of the rules.

It does. If you had the following rule instead:

Code: Select all

Site .informaction.com
Deny INCLUSION
Accept INCLUSION(IMAGE) from .informaction.com
Accept INCLUSION(CSS) from .informaction.com

the Accept clauses would effectively be ignored, so no non-top-level request to informaction would load. Also, if e.g. you modified the SYSTEM rule like this:

Code: Select all

Site http://192.168.100.1/
Accept from https://fooserv.er

Site LOCAL
Accept from LOCAL
Deny

any requests the fooserver makes to 192.168.100.1 would be Allowed, assuming that fooserv.er is external (meaning, not being accessed by a private IP address on your local subnet or otherwise counted as part of LOCAL). But if you flip the order (put the fooserver exception after the default rule), then requests to 192.168.100.1 from fooserver would be blocked by the default SYSTEM rule.

Also, don't put comments on the same line as rules (I've had bad experience with that)

What bad experience?

I think it tried to treat the comment as another Site to match, and invalidated the whole ruleset because Sites can't start with a #, or something like that.

[ReporterX]

Thanks a lot for your explanations. I have much better understanding now.

barbaz, you are awesome.

[barbaz]

you're welcome, feel free to ask any further questions
have a good day