Discussions about the Application Boundaries Enforcer (ABE) module
alexo
Junior Member
Posts: 23 Joined: Fri Nov 27, 2009 5:58 pm
Post
by alexo » Fri Apr 07, 2017 5:41 pm
When trying to click on links from a Tomcat page on a computer on the local network, I get the following:
Code: Select all
[ABE] < LOCAL> Deny on {GET http://ComputerName:8080/manager/status <<< http://ComputerName:8080/ - 6}
SYSTEM rule:
Site LOCAL
Accept from LOCAL
Deny
Where "ComputerName" is a machine on the LAN.
How do I fix it?
Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0
barbaz
Senior Member
Posts: 10848 Joined: Sat Aug 03, 2013 5:45 pm
Post
by barbaz » Fri Apr 07, 2017 6:01 pm
NoScript Options > Advanced > ABE, add at the very top of SYSTEM
Code: Select all
Site ComputerName:8080
Accept from ComputerName:8080
*Always* check the changelogs BEFORE updating that important software!
-
alexo
Junior Member
Posts: 23 Joined: Fri Nov 27, 2009 5:58 pm
Post
by alexo » Fri Apr 07, 2017 9:07 pm
For each machine on our corporate network? I am pretty sure this is not how it's supposed to work.
Mozilla/5.0 (Windows NT 5.1; rv:52.0) Gecko/20100101 Firefox/52.0
barbaz
Senior Member
Posts: 10848 Joined: Sat Aug 03, 2013 5:45 pm
Post
by barbaz » Fri Apr 07, 2017 9:16 pm
If ComputerName resolves both to an IP that falls under LOCAL *and* to an IP that doesn't fall under LOCAL, ABE might be expected to block ComputerName from redirecting to itself.
Does the ABE rule change get it working?
*Always* check the changelogs BEFORE updating that important software!
-
alexo
Junior Member
Posts: 23 Joined: Fri Nov 27, 2009 5:58 pm
Post
by alexo » Fri Apr 07, 2017 10:36 pm
Yes, the change makes it work.
Further investigation shows that that machine does not have an IPv4 address for some reason, only IPv6. Can that be the reason?
Mozilla/5.0 (Windows NT 5.1; rv:52.0) Gecko/20100101 Firefox/52.0
barbaz
Senior Member
Posts: 10848 Joined: Sat Aug 03, 2013 5:45 pm
Post
by barbaz » Fri Apr 07, 2017 10:43 pm
alexo wrote: Yes, the change makes it work.
Do you have some sort of deployment software for all your corporate machines?
alexo wrote: Further investigation shows that that machine does not have an IPv4 address for some reason, only IPv6. Can that be the reason?
Likely yes, but I don't know the details of how ABE handles IPv6 addresses, sorry.
*Always* check the changelogs BEFORE updating that important software!
-
alexo
Junior Member
Posts: 23 Joined: Fri Nov 27, 2009 5:58 pm
Post
by alexo » Sat Apr 08, 2017 6:30 am
barbaz wrote: Do you have some sort of deployment software for all your corporate machines?
IT handles it.
barbaz wrote: alexo wrote: Further investigation shows that that machine does not have an IPv4 address for some reason, only IPv6. Can that be the reason?
Likely yes, but I don't know the details of how ABE handles IPv6 addresses, sorry.
I'd say it's a bug then.
Mozilla/5.0 (Windows NT 5.1; rv:52.0) Gecko/20100101 Firefox/52.0