Unexpected ABE Behavior

[GµårÐïåñ]

I have been noticing some strange behavior. Say I go to site x and if I happen to immediately afterwards go to a local LAN 192.168.1.x resource, it gives me an alert.

Example:

Code: Select all

[ABE] <LOCAL> Deny on {GET https://192.168.1.77/admin <<< http://www.alphabounce.com/}
SYSTEM rule:
Site LOCAL
Accept from LOCAL
Deny

why is that? Also, performing some functions on the router at one of our test locations gives this alert.

Code: Select all

[ABE] <LOCAL> Deny on {GET http://gateway.2wire.net/net/stat/status.html?command=0&next=http://gateway.cms.2wire.com/hp/kickResult%3Fsessionid%3DtegMcZCU_Avg <<< http://gateway.cms.2wire.com/hp/upgrade/showUpgrades.do, http://gateway.cms.2wire.com/hp/upgrade/showUpgrades.do}
SYSTEM rule:
Site LOCAL
Accept from LOCAL
Deny

so why is that? I am currently running dev build 1.9.4.6

[Giorgio Maone]

I have been noticing some strange behavior. Say I go to site x and if I happen to immediately afterwards go to a local LAN 192.168.1.x resource, it gives me an alert.

How do you "go" there, exactly? By following a link on site x, by using a bookmark or what?


why is that? Also, performing some functions on the router at one of our test locations gives this alert.

Code: Select all

[ABE] <LOCAL> Deny on {GET http://gateway.2wire.net/net/stat/status.html?command=0&next=http://gateway.cms.2wire.com/hp/kickResult%3Fsessionid%3DtegMcZCU_Avg <<< http://gateway.cms.2wire.com/hp/upgrade/showUpgrades.do, http://gateway.cms.2wire.com/hp/upgrade/showUpgrades.do}

Does gateway.2wire.net resolve to an IP in your LAN while gateway.cms.2wire.com points to an external (Internet) IP?
If so, that's the normal intranet protection rule behavior (just like LocalRodeo).
If needed, you can modify it this way:

Site LOCAL
Accept from LOCAL *.2wire.com
Deny

[GµårÐïåñ]

How do you "go" there, exactly? By following a link on site x, by using a bookmark or what?

Both are accessed via bookmarks. Still one shouldn't be linked or trying to access the other.

Does gateway.2wire.net resolve to an IP in your LAN while gateway.cms.2wire.com points to an external (Internet) IP?
If so, that's the normal intranet protection rule behavior (just like LocalRodeo).

Yes it does. It goes from the 192.168.1.254/... to the secure gateway site to get information and report back to the local router, it gets stopped on the way back not on the way out. This will be important further down.

If needed, you can modify it this way:

Code: Select all

Site LOCAL
Accept from LOCAL *.2wire.com
Deny

I thought about that and I have been doing these but I have noticed the exception list is growing ridiculously long and eventually is going to be a performance issue when you have a huge list to pull against just to cover the exceptions. Especially that adding this exception causes another issue.

Now with the above exception in place, when you try going outbound (which had no problem before), you get this:

Code: Select all

[ABE] <LOCAL> Deny on {GET http://gateway.2wire.net/net/stat/status.html?command=0&next=http://gateway.cms.2wire.com/hp/kickResult%3Fsessionid%3Dbc1IGarSH5kg <<< http://gateway.cms.2wire.com/hp/upgrade/showUpgrades.do, http://gateway.cms.2wire.com/hp/upgrade/showUpgrades.do}
SYSTEM rule:
Site LOCAL
Accept from LOCAL
Deny

[Giorgio Maone]

Both are accessed via bookmarks.

It's a bug, then. Investigating...

It goes from the 192.168.1.254/... to the secure gateway site to get information and report back to the local router

What's secure? they seem both plain HTTP (unless you're using some proprietary encryption protocol, which would be weird however).

it gets stopped on the way back not on the way out.

Of course, that's expected.
It's just like Local Rodeo: sites outsite your intranet are not allowed to link to sites placed in your LAN (e.g. a router).
If you didn't have the same issue when you used Local Rodeo, it just means Local Rodeo was too buggy to catch this situation.

I have noticed the exception list is growing ridiculously long

Why? Shouldn't you just have your "secure" external gateway listed in the From clause?

Now with the above exception in place, when you try going outbound (which had no problem before), you get this:

Code: Select all

[ABE] <LOCAL> Deny on {GET http://gateway.2wire.net/net/stat/status.html?command=0&next=http://gateway.cms.2wire.com/hp/kickResult%3Fsessionid%3Dbc1IGarSH5kg <<< http://gateway.cms.2wire.com/hp/upgrade/showUpgrades.do, http://gateway.cms.2wire.com/hp/upgrade/showUpgrades.do}

It seems exactly the same request as the first you reported, i.e. gateway.cms.2wire.com (external) originating a request to gateway.2wire.net (internal). Am I missing something?

[GµårÐïåñ]

Both are accessed via bookmarks.

It's a bug, then. Investigating...

Thank you, that's what I thought so why I brought it up. This is just one case, there are several I have experienced since the start, I just figured work in progress.

What's secure? they seem both plain HTTP (unless you're using some proprietary encryption protocol, which would be weird however).

Well that's another reason this bugs me, the site is HTTPS but ABE message shows a post request from HTTP, something that was weird to me as well. The router creates a hash for the session which identifies the router, then sends it to an HTTPS site for verification of the update package which is a .net of the same site and then it gets rerouted back using the HTTP .com version of the site using the hash to deliver the message back to the router. Not the most elegant, but works and we have established through extensive testing, its secure.

Of course, that's expected.
It's just like Local Rodeo: sites outsite your intranet are not allowed to link to sites placed in your LAN (e.g. a router).
If you didn't have the same issue when you used Local Rodeo, it just means Local Rodeo was too buggy to catch this situation.

Yes, accessing a secure LAN from outside is prohibited, no problem but as you can see below its doing it on the way out now, the in part, I am ok with and had no problem with, its the outgoing that I have an issue with. The incoming was given as a case example so you can see with the exception placed, it will generate the outgoing message. I had gone through all this, but for the sake of the community and making sure we don't miss a step, I figured we start from the beginning and you can tell me what I have already done so I know I did it right and we can resolve through it.

Why? Shouldn't you just have your "secure" external gateway listed in the From clause?

Maybe I should have been more clear, the list is growing because this is not the only site that has the issue, it was provided as a single example for discussion. This and then another and then another and by the end of the day we are looking at tens of exceptions for various sites, that WILL have a performance issue, I promise you. Right now the anecdotal evidence is too little and the usage is not as heavy by everyone because they don't get how it works or frankly not stable enough for anyone to try yet but those of us actually putting it through the ringer are seeing it. Just think how many entries in your changelog read "performance improvement", I am sure you have seen it too.

Code: Select all

[ABE] <LOCAL> Deny on {GET http://gateway.2wire.net/net/stat/status.html?command=0&next=http://gateway.cms.2wire.com/hp/kickResult%3Fsessionid%3Dbc1IGarSH5kg <<< http://gateway.cms.2wire.com/hp/upgrade/showUpgrades.do, http://gateway.cms.2wire.com/hp/upgrade/showUpgrades.do}

It seems exactly the same request as the first you reported, i.e. gateway.cms.2wire.com (external) originating a request to gateway.2wire.net (internal). Am I missing something?

Exactly, I am glad you noticed that. So why is the same message that was generated on the incoming get generated on the outgoing with the exception rule in place?