How to add ABE exception for LOCAL?

Discussions about the Application Boundaries Enforcer (ABE) module
User avatar
Lucas Malor
Senior Member
Posts: 71
Joined: Tue Nov 09, 2010 2:01 pm
Contact:

Re: How to add ABE exception for LOCAL?

Post by Lucas Malor »

So how does it know that a certain IP is on my LAN?
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:41.0) Gecko/20100101 Firefox/41.0
barbaz
Senior Member
Posts: 10841
Joined: Sat Aug 03, 2013 5:45 pm

Re: How to add ABE exception for LOCAL?

Post by barbaz »

It doesn't. It just knows whether an IP address is private or not, and treats all private IPs as LOCAL.
*Always* check the changelogs BEFORE updating that important software!
-
User avatar
Lucas Malor
Senior Member
Posts: 71
Joined: Tue Nov 09, 2010 2:01 pm
Contact:

Re: How to add ABE exception for LOCAL?

Post by Lucas Malor »

Well, that's not what Maone wrotes on its site, or at least it seems to me he says something different. The piece of code comment I quoted it's from https://noscript.net/abe/
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:41.0) Gecko/20100101 Firefox/41.0
barbaz
Senior Member
Posts: 10841
Joined: Sat Aug 03, 2013 5:45 pm

Re: How to add ABE exception for LOCAL?

Post by barbaz »

It says that LOCAL "matches *all* the LAN subnets (possibly configurable) and localhost" (emphasis mine). NoScript doesn't need to know which specific subnet you are on in order to do that.
*Always* check the changelogs BEFORE updating that important software!
-
User avatar
Lucas Malor
Senior Member
Posts: 71
Joined: Tue Nov 09, 2010 2:01 pm
Contact:

Re: How to add ABE exception for LOCAL?

Post by Lucas Malor »

So why he writes about "subnets" and not "IPs"?
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:41.0) Gecko/20100101 Firefox/41.0
barbaz
Senior Member
Posts: 10841
Joined: Sat Aug 03, 2013 5:45 pm

Re: How to add ABE exception for LOCAL?

Post by barbaz »

Because some LOCAL subnets may not actually contain any local IPs (specifics will vary between users/networks). For example, you use the 172.27.102.* subnet; assuming that 172.27.* is the only private IP range you use, IPs in the 192.168.10.* subnet are not local for you despite that being a LOCAL subnet.
*Always* check the changelogs BEFORE updating that important software!
-
User avatar
Lucas Malor
Senior Member
Posts: 71
Joined: Tue Nov 09, 2010 2:01 pm
Contact:

Re: How to add ABE exception for LOCAL?

Post by Lucas Malor »

Thank you for explaination. So it could be a bug. I recall that no GUI alert was displayed.

Maybe ABE could use WebRTC to know local IP address:
http://stackoverflow.com/a/26850789/1763602
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:41.0) Gecko/20100101 Firefox/41.0
yes_noscript

Re: How to add ABE exception for LOCAL?

Post by yes_noscript »

No, i'm against that idea-
WebRTC is a realy bad thing!

And i'm happy Pale Moon didn't include this crap. So i hope this didn't get implement in NoScript.
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:2.0) Gecko/20100101 Goanna/20160204 PaleMoon/26.0.3
barbaz
Senior Member
Posts: 10841
Joined: Sat Aug 03, 2013 5:45 pm

Re: How to add ABE exception for LOCAL?

Post by barbaz »

Lucas Malor wrote:Maybe ABE could use WebRTC to know local IP address:
Image

Not only does NoScript not need a user's local IP address for anything, like yes_noscript said many NS users will have WebRTC disabled (if they have WebRTC at all) especially given its security history. Requiring WebRTC in NoScript, especially for dubious reasons, would be outright hypocrisy.
-1
*Always* check the changelogs BEFORE updating that important software!
-
johnscript
Junior Member
Posts: 49
Joined: Wed Feb 20, 2013 1:49 pm

Re: How to add ABE exception for LOCAL?

Post by johnscript »

-100, for that matter.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:44.0) Gecko/20100101 Firefox/44.0
User avatar
xheralt
Posts: 7
Joined: Sun Jul 26, 2009 1:35 am

Re: How to add ABE exception for LOCAL?

Post by xheralt »

Okay, I had this issue some years ago, and received a very unsatisfactory response from the forum, which I will paraphrase as "Oh, you just write an exception for it the same way you would for any firewall rule...". The point of course is that I don't write firewall rules for a living, nor for fun, and I shouldn't have to be that level of guru simply to use a product, even a FREE (as in beer) product.

After that response, you understand, I just said "fsck this sh*t" and have been routinely disabling ABE since. In the growing sophistication of cyberattacks, this was never entirely wise, and becoming less so as time passes.

The above response in this thread "You have to know what site is being rejected, and what error message is being generated" brought this sort of "helpfulness" to mind. The first part is, the user KNOWS what site is being rejected, even if not stated, and can plug that into a properly-presented example, e.g. in the form of "ALLOW %your_site_here%".

The second part of that statement is also BS. I find it hard to believe a self-styled (or actual) NoScript guru wouldn't know what a standard ABE "%wifi_hosting_site_%/?redir=%your_home_page% blocked by rule <LOCAL> DENY" error message looks like. Because it IS the very standard response. How does repeating back this fairly obvious notification change anything about how to solve it? Because ABE is acting precisely as designed, if not as desired. Demanding (and getting) specifics is not strictly necessary to the solution, and just adds an additional exchange of forum comments.

TL;DR - Here's my situation (one I'm sure shared by or similar to others): Public WiFi for a local coffee-shop chain originates from a page at 10.0.0.1:8000 (a private net common to the various location within the city) that has a standard "Click to accept our terms of usage" page when one first connects. The sort of thing where Windows tells you "Action required to connect. Open Browser now?"

The URL being DENIED therefore looks like this: http://10.0.0.1:8000/index.php?redirurl ... e_site.net. Other locations of the chain use different port#'s (8001, 8010, etc.).

So, I'm giving solving this a second try. This seem to crop up often enough, maybe it should be in the FAQ? "ABE is preventing me from accessing Public WiFi" would be an eye-catching title.

Given how friggin' context-sensitive firewall rules are (or seem to be), it is EQUALLY important to tell a novice (like me) WHERE EXACTLY to PUT said statement. It is only through indirect context in this thread (not specific instruction) that I've now learned that one has to put such exception BEFORE the initial "ALLOW" in System Rules!

I'm going to have to wait an hour before my current session expires (said coffeeshop grants its free access in one-hour blocks) to test the next attempt to write an exception.
XH=J

Registered Linux User #459491 (currently stuck with a Win10 laptop, don't hold it against me)
Mozilla/5.0 (Windows NT 10.0; rv:49.0) Gecko/20100101 Firefox/49.0
barbaz
Senior Member
Posts: 10841
Joined: Sat Aug 03, 2013 5:45 pm

Re: How to add ABE exception for LOCAL?

Post by barbaz »

xheralt wrote:Okay, I had this issue some years ago, and received a very unsatisfactory response from the forum, which I will paraphrase as "Oh, you just write an exception for it the same way you would for any firewall rule...".
xheralt, your only other posts on this forum that were replied to are in viewtopic.php?f=23&t=2115. Tell me, which response from that thread are you paraphrasing?
*Always* check the changelogs BEFORE updating that important software!
-
User avatar
xheralt
Posts: 7
Joined: Sun Jul 26, 2009 1:35 am

Re: How to add ABE exception for LOCAL?

Post by xheralt »

barbaz wrote:
xheralt wrote:Okay, I had this issue some years ago, and received a very unsatisfactory response from the forum, which I will paraphrase as "Oh, you just write an exception for it the same way you would for any firewall rule...".
xheralt, your only other posts on this forum that were replied to are in viewtopic.php?f=23&t=2115. Tell me, which response from that thread are you paraphrasing?
My www access is sporadic and depends on public wifi, which is why it's taken me this long to respond.

There was another go-round before that; the thread was either locked or deleted. With forum search being (semi)broken, I wasn't able to locate the thread you cited, thank you for locating it. As I recall, I ended up not going to that particular coffee shop, so I never needed to even try implementing the suggested solution. Until the circumstance recurred now at a different place. I'll try that. In the meantime, I tried this:

Code: Select all

# Prevent Internet sites from requesting LAN resources.
Accept from http://10.0.0.1
Site LOCAL
Accept from LOCAL
Deny
Which results in the error: line 2:0 missing EOF at 'Accept'. So you've saved me from having to ask "what next"? :)
XH=J

Registered Linux User #459491 (currently stuck with a Win10 laptop, don't hold it against me)
Mozilla/5.0 (Windows NT 10.0; rv:49.0) Gecko/20100101 Firefox/49.0
barbaz
Senior Member
Posts: 10841
Joined: Sat Aug 03, 2013 5:45 pm

Re: How to add ABE exception for LOCAL?

Post by barbaz »

xheralt wrote:My www access is sporadic and depends on public wifi, which is why it's taken me this long to respond.

There was another go-round before that; the thread was either locked or deleted.
Ah, thanks. Yeah, that must be it, one Mod used to delete "go-round" type threads here. He's no longer forum staff and we don't delete such threads anymore.
xheralt wrote:So you've saved me from having to ask "what next"? :)
I just remembered, I might be able to save you something else too. I actually happen to have an exception in my own SYSTEM ruleset for the same type of access point as you encountered in the other thread. Maybe having that in full could help in this case.

Here is my entire SYSTEM ruleset (WiFi access point name obscured) -

Code: Select all

# ******* WiFi haxx
Site .nnu.com
Accept

# Prevent Internet sites from requesting LAN resources.
Site LOCAL
Accept from LOCAL
Deny
How did I figure out what to put in? Well, all public WiFi access point exceptions work the same way:
1) Check the Browser Console (Ctrl-Shift-J) for message like this - https://noscript.net/abe/users.html
2) Plug in the blocked sites (site1.com site2.com site3.com) at the very top of the SYSTEM ruleset, in this form

Code: Select all

Site .site1.com .site2.com .site3.com
Accept
Or if IP addresses, skip the leading dot:

Code: Select all

Site 10.0.0.1 1.1.1.1
Accept
3) You're done. Enjoy the Internet.

Still seem "guru-y" to you? Let's de-mystify it then.

So, you're looking at the console message. See where it says MATCHING_SITE and ORIGIN1[, ORIGIN2, ...], ORIGINAL_ORIGIN in Giorgio's example? Those will be the sites that you pull out of the console message for the exception. If you see any of those beginning with chrome:, ignore that one, it will be automatically taken care of.

Then, the next trick is to make sure to combine *all* matching domains on the *same* Site line. For my access point, it was a couple different subdomains of nnu.com, which made that easy (note the leading dot in the ruleset). In your case here, perhaps just 10.0.0.1? Each different site is separated by a single whitespace.

Finally, as said, these public Wi-Fi access point exceptions are always the same template as how I did it above. So just plug in your site(s) and you should be good. If that doesn't cut it, try again because you may have another site to add to your Site line. Once it works, you're done.

There, that cuts through all the guru-y stuff a bit, doesn't it? Now just plug in your sites and enjoy your WiFi. :)

Does that help?
*Always* check the changelogs BEFORE updating that important software!
-
Pow_2k
Posts: 1
Joined: Thu Jan 05, 2017 1:39 pm

Re: How to add ABE exception for LOCAL?

Post by Pow_2k »

barbaz wrote: Does that help?
Barbaz, I went and created an account just so I could reply and say yes, this helps immensely. (Also, thanks to those had provided earlier clues but barbaz provided a concise solution AND explained why it gets entered that way.) I had been in situations similar to xheralt's previously and couldn't figure it out, so disabling ABE temporarily to get past the issue was the solution I used. Suddenly this week I've run into ABE blocking when trying to access a resource in my corporate LAN.

Code: Select all

[ABE] < LOCAL> Deny on {GET http://somehost:8410/ui <<< http://somehost:8410/, moz-nullprincipal:{b22da868-f242-41c9-b93d-007297b56933} - 6}
SYSTEM rule:
Site LOCAL
Accept from LOCAL
Deny
Since this is all dealing with a single host I don't understand why ABE is denying it. But, at least I now know how to add an exception rule for this single host and still have protection elsewhere. Now to make this the top hit in web searches for "abe local deny"...
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:50.0) Gecko/20100101 Firefox/50.0
Post Reply