Which is the best way to configure ABE?

[therube]

> WAN IP (Your-Internet-IP) @ LOCAL

http://forums.informaction.com/viewtopi ... 272#p20272

[Giorgio Maone]

Thank you therube, I understand better now but still ABE settings are too complicated to common users

In fact "common users" shouldn't touch them without guidance.
The built-in rules already give significant protection against attacks from internet to intranet.

[tlu]

Thank you therube, I understand better now but still ABE settings are too complicated to common users

In fact "common users" shouldn't touch them without guidance.
The built-in rules already give significant protection against attacks from internet to intranet.

Giorgio, are you also considering to enhance ABE in such a way that Noscript will become an alternative to CsFire? I understand that ABE already offers what CsFire does but it's simply not user-friendly enough to use it that way. Would be highly appreciated

[Giorgio Maone]

CsFire's behavior can be implemented with this one simple rule (to be put in the USER ruleset):

Code: Select all

# This rules allows authentication data to be sent with requests originated
# from the same base domain, stripping it off otherwise 
Site *
Accept from SELF++
Anon

[tlu]

CsFire's behavior can be implemented with this one simple rule (to be put in the USER ruleset):

Code: Select all

# This rules allows authentication data to be sent with requests originated
# from the same base domain, stripping it off otherwise 
Site *
Accept from SELF++
Anon

Ah - I had used the rule you had mentioned in http://forums.informaction.com/viewtopi ... 99&start=0& :

Code: Select all

Site *
Accept from SELF
Anon

and that broke too many sites - but it was without the ++. I will try your new suggestion. Thanks!

[Jahzoone]

Am I understanding this correctly, can I use this string to allow my own website?

My problem is ABE is blocking me from browsing to my own web pages since they are being served from the same IP.

[Giorgio Maone]

What message do you get, exactly?

[Jahzoone]

I have more information, problem happens when I do Google search for my site then click on search result, I get information bar at top of screen, actually I suppose this means ABE is working like it should? Perhaps I will just use bookmarks or is it safe to allow Google?

[Nate]

[deleted]

[Giorgio Maone]

CsFire's behavior can be implemented with this one simple rule (to be put in the USER ruleset):

Code: Select all

# This rules allows authentication data to be sent with requests originated
# from the same base domain, stripping it off otherwise 
Site *
Accept from SELF++
Anon

Could you please summarize why this rule is not included by default?

Because it would probably break any web site which spans across different domains linking back and forth (many financial sites have this kind of setup), so if you're not prepared to opt-in and possibly put exceptions to this behavior, it would come as an unpleasant surprise.

[very old guy]

CsFire's behavior can be implemented with this one simple rule (to be put in the USER ruleset):

Code: Select all

# This rules allows authentication data to be sent with requests originated
# from the same base domain, stripping it off otherwise 
Site *
Accept from SELF++
Anon

Could you please summarize why this rule is not included by default?

Because it would probably break any web site which spans across different domains linking back and forth (many financial sites have this kind of setup), so if you're not prepared to opt-in and possibly put exceptions to this behavior, it would come as an unpleasant surprise.

Could someone please give an example of "opt-in and possibly put exceptions to this behavior"? Yahoo Mail! would be a fine test case I believe; popular and at times has been prone to Cross-Site risks, and absent exceptions there are layout problems at a minimum.

[Giorgio Maone]

Could someone please give an example of "opt-in and possibly put exceptions to this behavior"? Yahoo Mail! would be a fine test case I believe; popular and at times has been prone to Cross-Site risks, and absent exceptions there are layout problems at a minimum.

Code: Select all

Site .yahoo.com .anyothersiteyouwanttoprotect.com
Accept from SELF++
Anon

[herojoker]

According to this presentation and this paper (this thread is reference [8] there) CsFire allows "expected requests" / "trusted delegations" since version 1.0 which would get blocked with the above user rule.