Noob basic ABE rule assistance needed

[scottyp]

Hi,
I'm trying to make my first useful ABE rule for a banking (CC) site. I have been unable to determine why my rules will not work. I just want to control two sites (it appears) and allow them to have full access to each other (in ABE terms).

USER Rules in place (I've tried every variation of them as well)

Code: Select all

Site online.citibank.com
Accept ALL from SELF
Accept ALL from online.citibank.com
Accept ALL from www.accountonline.com
Deny

Site www.accountonline.com
Accept ALL from SELF
Accept ALL from online.citibank.com
Accept ALL from www.accountonline.com
Deny

ABE error seen: (not sure if I can post url links)
http://tinypic.com/view.php?pic=34dhg9d&s=6

[Thrawn]

Try this:

Code: Select all

Site .online.citibank.com .accountonline.com
Accept from .online.citibank.com .accountonline.com
Deny

[scottyp]

That appears to have worked. But I don't understand why they need to get merged like that?

So if there are ten sites, that just happen to talk to each other you'd need to do the same thing? Or is this something to do with the nature of the redirects, etc?

I've re-reviewed the Faq and Syntax PDF. While an example is show for "accept from" for two sites, similar to mine, it isn't clear that you CAN'T have two separate lines saying "Accept from" - which I think is my problem. Is that correct?

[Tom T.]

I believe the issue is at the bottom of Page 2 of ABE Rules .pdf, in which it is stated that "processing stops as soon as a predicate matches current request. Therefore, the most specific should be put at the top...."

As soon as SELF is found, the request to accountonline is blocked.
Try putting the specific ones -- accountonline and online.citibank.com -- above the SELF rule, and see if that works.

Also, it seems to me that

Code: Select all

Site online.citibank.com
Accept ALL from SELF
Accept ALL from online.citibank.com

is redundant, as implied by Thrawn's omission of SELF when your request source and destination are the same, and (we hope!) using the same port number, namely, the HTTPS standard port.

[Thrawn]

That appears to have worked. But I don't understand why they need to get merged like that?

They don't need to be merged, but it's much more compact. It's perfectly legitimate and equivalent to have:

Code: Select all

Site .online.citibank.com
Accept from .online.citibank.com .accountonline.com
Deny

Site .accountonline.com
Accept from .online.citibank.com .accountonline.com
Deny

But why bother?

So if there are ten sites, that just happen to talk to each other you'd need to do the same thing? Or is this something to do with the nature of the redirects, etc?

You would indeed need to do the same thing, and I think it expresses your intent quite well: "This list of sites accepts all requests from this list of sites".

It might be nice to have some special syntax to say "Accept from everything listed in the Site expression". Kind of like an extended version of the SELF keyword. But the current syntax isn't too onerous.

I've re-reviewed the Faq and Syntax PDF. While an example is show for "accept from" for two sites, similar to mine, it isn't clear that you CAN'T have two separate lines saying "Accept from" - which I think is my problem. Is that correct?

Not at all. You certainly can have two Accept lines. In fact, due to some quirky behavior of the LOCAL keyword, it's sometimes essential. However, the error message that you posted shows what is probably a referrer, and ABE seems to take them into consideration in some circumstances. *That* is not well documented. Anyway, your original rules were too specific to deal with the 'www.accountonline.com with referrer of online.citibank.com' situation.