Local doesn't allow local?

Discussions about the Application Boundaries Enforcer (ABE) module
binaryvanguard
Posts: 3
Joined: Mon Jun 27, 2016 1:44 am

Local doesn't allow local?

Post by binaryvanguard »

I am trying to figure out why this isn't working. I have a synology DS415+ and ABE keeps blocking access to it. I've noticed in several posts the first request is for the error, so here it is:

[ABE] <LOCAL> Deny on {GET http://whatsinaname:5000/webman/index.cgi <<< http://whatsinaname:5000/, chrome://browser/content/browser.xul - 6}
SYSTEM rule:
Site LOCAL
Accept from LOCAL
Deny

My if I change this rule just a bit to:

SYSTEM rule:
Site LOCAL
Accept from LOCAL whatsinaname
Deny

I have no problems whatsoever. I can also make a special rule for whatsinaname above the local rule and it works, but if that rule comes second it does not. It also works fine if I go to the machine by IP address. All this leads me to believe that the site filter is treating this device as local, but the rule predicate does not consider it local. Can someone shed some light as to exactly what's going on?
Last edited by barbaz on Mon Jun 27, 2016 3:04 am, edited 1 time in total.
Reason: kill board-generated links
Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0
barbaz
Senior Member
Posts: 10841
Joined: Sat Aug 03, 2013 5:45 pm

Re: Local doesn't allow local?

Post by barbaz »

binaryvanguard wrote:I can also make a special rule for whatsinaname above the local rule and it works,
Can you please post that here? Writing a special rule (*above* the existing SYSTEM rule, like you found out) is the more correct way to deal with these kinds of configurations; and either we might be able to help you improve your exception, or it will help others searching for similar problem.
Thanks!
binaryvanguard wrote:All this leads me to believe that the site filter is treating this device as local, but the rule predicate does not consider it local.
Does "whatsinaname" resolve to both a LOCAL and non-LOCAL address? Check its DNS lookup
binaryvanguard wrote:Can someone shed some light as to exactly what's going on?
What kind of light you would like shed on this? You seem to have pretty much figured it out...
*Always* check the changelogs BEFORE updating that important software!
-
binaryvanguard
Posts: 3
Joined: Mon Jun 27, 2016 1:44 am

Re: Local doesn't allow local?

Post by binaryvanguard »

Here is the entire expanded ruleset:

Code: Select all

Site whatsinaname
Accept from whatsinaname
Deny 

# Prevent Internet sites from requesting LAN resources.
Site LOCAL
Accept from LOCAL
Deny
I'm not sure about the 1st deny. I haven't seen anywhere explicitly that new lines are the separators for rules in a rule set. Also since this is so limited in scope I'm not sure how I could test it.

I hope NSLOOKUPs output will work. If you need me to run it with more options I'll be glad to.
>nslookup whatsinaname
Server: homeportal
Address: <A>::1

Name: whatsinaname
Addresses: <A>:<B>
192.168.1.72

I've redacted the IPv6 info above with variables, I don't want to post my actual IP. I'm only vaguely familiar with nslookup, so I'm not exactly sure what it means when it says the server is "homeportal" (I suspect it's my router). Since it's just a disk station on my lan, I would hope it's not going outside my network.

As far as what sort of trouble I'm having, I don't understand why it's hitting the deny (in the original example). When I'm thinking through the rules, I don't understand logically why what is happening is happening. There is a LOCAL address, so it applies the LOCAL site filter, which then Accepts from LOCAL (except it doesn't?). There is some underlying complexity being masked by this abstraction. In any case I don't understand how it's possible for the Site Predicate for local can be true, while the Action Predicate is false. Maybe I'm just not getting exactly what LOCAL is.
Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0
User avatar
Thrawn
Master Bug Buster
Posts: 3106
Joined: Mon Jan 16, 2012 3:46 am
Location: Australia
Contact:

Re: Local doesn't allow local?

Post by Thrawn »

The original message seems to suggest that a redirection is taking place, from a chrome: location to whatsinaname. Is that the case? If so, bear in mind that redirections tend to produce confusing outcomes in ABE, and are best handled by *putting all sites involved in the redirection on the same Accept line*.
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.

True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Linux i686; rv:38.9) Gecko/20100101 Goanna/2.0 Firefox/38.9 PaleMoon/26.1.1
barbaz
Senior Member
Posts: 10841
Joined: Sat Aug 03, 2013 5:45 pm

Re: Local doesn't allow local?

Post by barbaz »

Looks like you've figured out the right way to make ABE exception :)
The first Deny can be there or not, either way should work the same.
binaryvanguard wrote:I've redacted the IPv6 info above with variables, I don't want to post my actual IP. I'm only vaguely familiar with nslookup, so I'm not exactly sure what it means when it says the server is "homeportal" (I suspect it's my router).
Yes nslookup is how to do DNS lookup on Windows. "homeportal" is your DNS server.

I think you're hitting this trouble with ABE related to that IPv6 address <A>:<B>. I don't understand IPv6 very well, but I think it will be hard to figure this out without knowing "<A>". (And yeah don't post it publicly because IPv6 addresses can contain [at least fragments of] your computer's MAC address in some configurations.)
*Always* check the changelogs BEFORE updating that important software!
-
binaryvanguard
Posts: 3
Joined: Mon Jun 27, 2016 1:44 am

Re: Local doesn't allow local?

Post by binaryvanguard »

Thrawn wrote:The original message seems to suggest that a redirection is taking place, from a chrome: location to whatsinaname. Is that the case? If so, bear in mind that redirections tend to produce confusing outcomes in ABE, and are best handled by *putting all sites involved in the redirection on the same Accept line*.
I'm trying to look for redirection in the network tab, but everything is either HTTP 200 OK or HTTP 304 Not Modified. Is there a less obvious way to observe redirection if it is occurring?
Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0
barbaz
Senior Member
Posts: 10841
Joined: Sat Aug 03, 2013 5:45 pm

Re: Local doesn't allow local?

Post by barbaz »

@binaryvanguard Remember to log in so that you can work with your posts more easily and don't need to solve the CAPTCHA every time.

The redirection Thrawn is referencing is shown in the ABE message:

Code: Select all

http://whatsinaname:5000/webman/index.cgi <<< http://whatsinaname:5000/, chrome://browser/content/browser.xul
'whatsinaname:5000' (which you clicked a bookmark or type in the address bar) redirects to 'whatsinaname:5000/webman/index.cgi'
*Always* check the changelogs BEFORE updating that important software!
-
Post Reply