Re: SYSTEM versus USER ruleset
Posted: Tue Nov 20, 2012 10:42 pm
The two rulesets are used exactly the same way. As far as I know, the reason for having two is so that you can apply two sets of rules.
When a rule is satisfied, ABE stops processing that ruleset. However, if the request was not entirely blocked, it will still process the other ruleset. So, if you have a USER rule that anonymizes a request, but the request was actually an external site trying to reach LOCAL (which will be blocked by the default SYSTEM rule), then ABE will still process the SYSTEM ruleset and block it.
By doing this, you can write rules in the USER ruleset without worrying that you'll accidentally override the protection of the default rule. However, if you need to add exceptions to the default rule, then you'll need to edit the SYSTEM ruleset.
Thus far, the SYSTEM ruleset has just the one rule, but in future, perhaps it will have more. The NAT Pinning defence is a candidate.
When a rule is satisfied, ABE stops processing that ruleset. However, if the request was not entirely blocked, it will still process the other ruleset. So, if you have a USER rule that anonymizes a request, but the request was actually an external site trying to reach LOCAL (which will be blocked by the default SYSTEM rule), then ABE will still process the SYSTEM ruleset and block it.
By doing this, you can write rules in the USER ruleset without worrying that you'll accidentally override the protection of the default rule. However, if you need to add exceptions to the default rule, then you'll need to edit the SYSTEM ruleset.
Thus far, the SYSTEM ruleset has just the one rule, but in future, perhaps it will have more. The NAT Pinning defence is a candidate.