How to add ABE exception for LOCAL?

Discussions about the Application Boundaries Enforcer (ABE) module
User avatar
Lucas Malor
Senior Member
Posts: 71
Joined: Tue Nov 09, 2010 2:01 pm
Contact:

How to add ABE exception for LOCAL?

Post by Lucas Malor »

I need to add an exception to LOCAL in ABE. I don't know why, but wifi that needs a web login does irritate ABE, that filter their requests.

I tried with:

Code: Select all

Site LOCAL
Accept from LOCAL 
Accept from https://the.site.com
Deny
and with

Code: Select all

Site LOCAL
Accept from LOCAL 
Accept from the.site.com
Deny
and with

Code: Select all

Site LOCAL
Accept from LOCAL 
Accept from .the.site.com
Deny
and with

Code: Select all

Site LOCAL
Accept from LOCAL the.site.com
Deny
etcetera, but nothing. What's the correct way to add the exception?
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:39.0) Gecko/20100101 Firefox/39.0
barbaz
Senior Member
Posts: 10841
Joined: Sat Aug 03, 2013 5:45 pm

Re: How to add ABE exception for LOCAL?

Post by barbaz »

Moving to ABE.

We can't help you there without seeing the ABE message(s) from the Browser Console (Ctrl-Shift-J)...
(Preferably please test with the default SYSTEM ruleset.)
*Always* check the changelogs BEFORE updating that important software!
-
User avatar
Thrawn
Master Bug Buster
Posts: 3106
Joined: Mon Jan 16, 2012 3:46 am
Location: Australia
Contact:

Re: How to add ABE exception for LOCAL?

Post by Thrawn »

It's pretty normal for captive WiFi to run into ABE, because you requested an external site, but the portal redirects you to a local address (their own) to log in.

Actually, if it weren't for the fact that this behavior is part of the terms and conditions of use, then it would qualify as an attack, hijacking your connection.

Anyway, as barbaz mentioned, we'd need to see which sites are trying to get involved, so that we know what exception(s) to add.
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.

True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:39.0) Gecko/20100101 Firefox/39.0
User avatar
Lucas Malor
Senior Member
Posts: 71
Joined: Tue Nov 09, 2010 2:01 pm
Contact:

Re: How to add ABE exception for LOCAL?

Post by Lucas Malor »

I got another ABE exception:

Code: Select all

[ABE] <LOCAL> Deny on {GET http://ots1.cesi.lan/scm/resources/images/scm-logo.jpg <<< http://ots1.cesi.lan/scm/ - 3}
SYSTEM rule:
Site LOCAL
Accept from LOCAL
Deny
I have a lot of these messages. It's the site of the repository manager of our company, and I'm on the same net. I suppose this is the problem.
How can I add an exception?

PS: I recive no message from ABE via GUI if I access the URI directly. If I access the URI from another page, ABE complains.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:41.0) Gecko/20100101 Firefox/41.0
barbaz
Senior Member
Posts: 10841
Joined: Sat Aug 03, 2013 5:45 pm

Re: How to add ABE exception for LOCAL?

Post by barbaz »

In this case, try:
NoScript Options > Advanced > ABE > SYSTEM, add at the very top

Code: Select all

Site ots1.cesi.lan
Accept from SELF+
*Always* check the changelogs BEFORE updating that important software!
-
User avatar
Lucas Malor
Senior Member
Posts: 71
Joined: Tue Nov 09, 2010 2:01 pm
Contact:

Re: How to add ABE exception for LOCAL?

Post by Lucas Malor »

It works. I have to put in SYSTEM rules, _before_:

Code: Select all

Site LOCAL
Accept from LOCAL 
Deny
Can you explain me why? Furthermore, why that site was blocked? Is my previous assumption correct?
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:41.0) Gecko/20100101 Firefox/41.0
barbaz
Senior Member
Posts: 10841
Joined: Sat Aug 03, 2013 5:45 pm

Re: How to add ABE exception for LOCAL?

Post by barbaz »

The way to assess why the site is hitting ABE troubles is to do a DNS lookup of the site. Can you please post the output of running the following command in Terminal?

Code: Select all

dig ots1.cesi.lan
(I would suspect it resolves to both LOCAL and non-LOCAL addresses.)
*Always* check the changelogs BEFORE updating that important software!
-
User avatar
Lucas Malor
Senior Member
Posts: 71
Joined: Tue Nov 09, 2010 2:01 pm
Contact:

Re: How to add ABE exception for LOCAL?

Post by Lucas Malor »

Code: Select all

; <<>> DiG 9.9.5-3ubuntu0.5-Ubuntu <<>> ots1.cesi.lan
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 178
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;ots1.cesi.lan.			IN	A

;; ANSWER SECTION:
ots1.cesi.lan.		3600	IN	A	172.27.118.77

;; Query time: 14 msec
;; SERVER: 127.0.1.1#53(127.0.1.1)
;; WHEN: Wed Feb 03 19:13:09 CET 2016
;; MSG SIZE  rcvd: 58
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:41.0) Gecko/20100101 Firefox/41.0
barbaz
Senior Member
Posts: 10841
Joined: Sat Aug 03, 2013 5:45 pm

Re: How to add ABE exception for LOCAL?

Post by barbaz »

Weird, that is only LOCAL... that really shouldn't be triggering the ABE rule to block it, especially not from itself.

Wonder if this is related to viewtopic.php?f=23&t=20795 ?
*Always* check the changelogs BEFORE updating that important software!
-
User avatar
Thrawn
Master Bug Buster
Posts: 3106
Joined: Mon Jan 16, 2012 3:46 am
Location: Australia
Contact:

Re: How to add ABE exception for LOCAL?

Post by Thrawn »

Lucas Malor wrote:I have to put in SYSTEM rules...Can you explain me why?
Because if you use a different ruleset, or if you put it further down, then the SYSTEM rule will trigger and block the request, and ABE will stop examining further rules.
Furthermore, why that site was blocked? Is my previous assumption correct?
It's strange that it's blocking requests from itself to itself, like barbaz said. Might be a bug, or there might be something odd about the DNS resolution of that name.
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.

True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:44.0) Gecko/20100101 Firefox/44.0
User avatar
Lucas Malor
Senior Member
Posts: 71
Joined: Tue Nov 09, 2010 2:01 pm
Contact:

Re: How to add ABE exception for LOCAL?

Post by Lucas Malor »

Are you sure it's LOCAL to LOCAL?

Code: Select all

marco@daneel:~$ ifconfig | grep -A 1 wlan1
wlan1     Link encap:Ethernet  HWaddr 10:08:b1:c8:72:fb  
          inet addr:172.27.102.138  Bcast:172.27.102.255  Mask:255.255.255.0
marco@daneel:~$ dig +short ots1.cesi.lan
172.27.118.77
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:41.0) Gecko/20100101 Firefox/41.0
barbaz
Senior Member
Posts: 10841
Joined: Sat Aug 03, 2013 5:45 pm

Re: How to add ABE exception for LOCAL?

Post by barbaz »

Well, that's what it looks like. Why do you think that terminal output maybe suggests otherwise?
*Always* check the changelogs BEFORE updating that important software!
-
User avatar
Thrawn
Master Bug Buster
Posts: 3106
Joined: Mon Jan 16, 2012 3:46 am
Location: Australia
Contact:

Re: How to add ABE exception for LOCAL?

Post by Thrawn »

Entering 172.27.118.77 into iplocation.net confirms that it is a local address.
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.

True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:44.0) Gecko/20100101 Firefox/44.0
User avatar
Lucas Malor
Senior Member
Posts: 71
Joined: Tue Nov 09, 2010 2:01 pm
Contact:

Re: How to add ABE exception for LOCAL?

Post by Lucas Malor »

Well, because my net is 172.27.102.* and ots1.cesi.lan is on 172.27.118.77. It seems they are on different LANs.
From https://noscript.net/abe/ :

Code: Select all

# LOCAL is a placeholder which matches all the LAN 
# subnets (possibly configurable) and localhost
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:41.0) Gecko/20100101 Firefox/41.0
barbaz
Senior Member
Posts: 10841
Joined: Sat Aug 03, 2013 5:45 pm

Re: How to add ABE exception for LOCAL?

Post by barbaz »

I don't think NoScript knows your private IP.
*Always* check the changelogs BEFORE updating that important software!
-
Post Reply