Can ABE block ports?

Discussions about the Application Boundaries Enforcer (ABE) module
Guest

Can ABE block ports?

Post by Guest » Thu Aug 04, 2016 12:45 pm

Maybe allow port 22 and 5346 and deny all other ports globally?
Mozilla/5.0 (X11; Linux x86_64; rv:47.0) Gecko/20100101 Firefox/47.0

barbaz
Senior Member
Posts: 9781
Joined: Sat Aug 03, 2013 5:45 pm

Re: Can ABE block ports?

Post by barbaz » Thu Aug 04, 2016 4:29 pm

Er... why are you connecting to port 22 (ssh) in your browser? And why don't you want to be able to connect to port 80 (http) or 443 (https)?

Yes, ABE can block ports. See https://hackademix.net/2010/01/08/nat-pinning-and-abe/ for an example.
*Always* check the changelogs BEFORE updating that important software!
-

User avatar
Thrawn
Senior Member
Posts: 3106
Joined: Mon Jan 16, 2012 3:46 am
Location: Australia
Contact:

Re: Can ABE block ports?

Post by Thrawn » Sat Aug 06, 2016 12:50 am

If you're thinking that ABE is a regular firewall, sitting at your network interfaces and allowing only whitelisted traffic - it isn't.

It is designed to restrict the behavior of your browser, and in particular, restrict the ways in which different websites may interact with each other. Thus, web application firewall.
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.

True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Linux i686; rv:38.9) Gecko/20100101 Goanna/2.0 Firefox/38.9 PaleMoon/26.1.1

Guest

Re: Can ABE block ports?

Post by Guest » Sun Aug 07, 2016 9:44 am

Thrawn wrote:If you're thinking that ABE is a regular firewall, sitting at your network interfaces and allowing only whitelisted traffic - it isn't.

It is designed to restrict the behavior of your browser, and in particular, restrict the ways in which different websites may interact with each other. Thus, web application firewall.


:) I use Privoxy to control ports, but from what i' ve tested, ABE can do the same. By now, i don`t trust NS.

I am just porting my Privoxy rules to ABE. Well, i am trying. I started 10 or more years ago with ~1.3 Mio domain names (from various hosts files) to block domains. I hunted those ~1.3 Mio lines down to ~53.000 lines of Privoxy rules. With ABE i now try to hunt those lines again down to maybe 50-100 lines. If i fail i will try a mixture of Privoxy (for http) and uBlock origin and uMatrix (for https) plus Self-Destructing-Cookies. The mess with NS is that it generates a lot of unwanted traffic from 3rd party domains. Allow www.example.com might also allow platform.twitter.com through www.example.com/test.js even if i Deny .twitter.com. Actually i haven' t figured out how to stop this behaviour with a simple rule. All my tries have cons. Anyway as for http traffic Privoxy is superior, but it can' t see https paths, headers and so on. Bad that the developer can't find a solution to fix this.
Mozilla/5.0 (X11; Linux x86_64; rv:48.0) Gecko/20100101 Firefox/48.0

barbaz
Senior Member
Posts: 9781
Joined: Sat Aug 03, 2013 5:45 pm

Re: Can ABE block ports?

Post by barbaz » Sun Aug 07, 2016 4:13 pm

Guest wrote: The mess with NS is that it generates a lot of unwanted traffic from 3rd party domains. Allow www.example.com might also allow platform.twitter.com through www.example.com/test.js even if i Deny .twitter.com.

wat? Image

Guest wrote:Bad that the developer can't find a solution to fix this.

Not NoScript problems. Bad that user can't find the right questions to ask to get answers for the crappy behavior.
(No, really, it sounds like crappy behavior, and I've no idea what to say about it with the information you've given. NoScript should not be randomly allowing sites that are blocked elsewhere, never did for me and if it did the security would be about as good as using one sheet of tissue paper to stop a missile. When you've figured out the right question, please also test with only NoScript and sniff the HTTP traffic to see if you actually have packets being send to these "extra" domains. Screenshots of NoScript menu would help too.)
*Always* check the changelogs BEFORE updating that important software!
-

Post Reply