The two rulesets are used exactly the same way. As far as I know, the reason for having two is so that you can apply two sets of rules.
When a rule is satisfied, ABE stops processing that ruleset. However, if the request was not entirely blocked, it will still process the other ruleset. So, if you have a USER rule that anonymizes a request, but the request was actually an external site trying to reach LOCAL (which will be blocked by the default SYSTEM rule), then ABE will still process the SYSTEM ruleset and block it.
By doing this, you can write rules in the USER ruleset without worrying that you'll accidentally override the protection of the default rule. However, if you need to add exceptions to the default rule, then you'll need to edit the SYSTEM ruleset.
Thus far, the SYSTEM ruleset has just the one rule, but in future, perhaps it will have more. The NAT Pinning defence is a candidate.
SYSTEM versus USER ruleset
Re: SYSTEM versus USER ruleset
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.
True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.
True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:16.0) Gecko/20100101 Firefox/16.0