Packet Filter Plugin
Created on: Aug 24, 2007 4:11 PM by Nate Putnam - Last Modified: Nov 1, 2007 1:28 PM by Nate Putnam
Version 1.0a
Overview
The packet filter plugin allows you to create rules that will block or reject certain packets to the server.
Installation
Copy packetFilter.jar into the plugins directory of your Openfire installation. The plugin will then be automatically deployed. To upgrade to a new version, copy the new packetFilter.jar file over the existing file.
Currently only the following databases are supported :
Postgresql
Mysql
MSSQL
Hsqldb (embedded)
Configuration
The Packet Filter plugin can be configured under "Server"-"Server Settings"-"Packet Filter Rules".
Using the Plugin - Creating Rules
Actions
Actions come in 3 types Pass, Drop and Reject.
Pass - This will allow the packet to be delivered normally.
Drop - This will silently drop the packet without notifying the sender.
Reject - This rule tries to notify the person who sent it that their message was rejected.
There are a couple issues with this. First, not all clients handle forbidden packet
condition. The notification of users that their packet was rejected is therefore pretty
spotty, your mileage may vary. This rule has 2 configurable options that can be set in
the system properties screen :1. pf.rejectMessage : Defaults to "Your message was rejected by the packet filter".
2. pf.rejectSubject : Defaults to "Rejected"
Disable
This allows you to quickly disable a rule without deleting it. Disabled rules will still appear on the main rule page but will have a strike through like so :
Packet Type
This specifies what type of packets you want to disable your choices are :
Message
Presence
IQ
Any - All of the above
From
This specifies the source base JID. Currently resource specific rules aren't supported. The options for specifying a source are :
Any - Just like it sounds, if the source is anything.
User - These are all the local users defined on your Openfire server, all user accounts.
Group - All groups defined on your server. The source will match if the sender is a member of the specified group.
Other - This will let you specify a free form JID. (test@example.com)
To
This specifies the destination base JID. The options for selecting the destination JID are the same as above.
Log
This prints a message to the info.log when the rule is executed. This is recommend only for trouble shooting as it can fill up the logs pretty quickly in production environments. Some example output :
Rejecting packet from bart@nate-putnams-computer.local/Adium to lisa@nate-putnams-computer.local/Psi
Description
Leave yourself a note so you can remember why you wrote the rule in the first place. 
Changing Rule Order
The first rule that matches an incoming packet will be executed. For example consider the following rules:
Here we don't want any of the Simpson's talking to each other so every message from members of the Simpson group to each other are dropped. However, Marge and Homer should be able to talk to each other. To accomplish this rules allowing Homer to send message packets to Marge and vice versa are placed before the drop rule. New rules are automatically appended to the rule list. Rules can be moved at anytime using the arrows in the UI. When a rule is moved the changes take effect immediately.
or download the 70MB Quicktime file
Nate Putnam
says
in response to wroot:
What operating system are you using. I've been able to reproduce this on Windows. Since I did all my dev on OSX I didn't run into this. I don't think Spark does handle error packets, it may do something with them, but it doesn't notify the user that there was a packet error like PSI and Adium do. I'll dig into the Windows issue more.
Nate Putnam
says
in response to wroot:
I've been looking into this more and it appears to be a OF 3.3.x vs. OF 3.4.x problem. I'm going to try and create a reject rule that will work in both.
@zdanek, I'll try and attach the source later today.
Nate Putnam
says
in response to Nate Putnam:
I've fixed the reject rule so it should work in both 3.3.x and the 3.4.x versions of Openfire. I've also attached the source. Enjoy!
wroot
says
in response to Nate Putnam:
Great. I even get a rejection message in Spark. Though i dont like it's a separate broadcast, so novice user can miss it or dont understand what was rejected.
So maybe this could be sent as a message? Or maybe this broadcast should contain username, time or maybe whole message text.
Broadcast title in Spark is "Broadcast from Broadcast" and message itself looks like "(6:37 AM) Broadcast: Your message was rejected", though i have set custom pf.From and pf.rejectSubject properties. Maybe it should use that.
Nate Putnam
says
in response to wroot:
Ya. I liked the functionality the reject rule had before better, it worked more how you would expect. There was some weirdness caused by the ClientSession refactoring I think that cause this rule to stop working. I'm going to rework the rule soon and come up with something more robust. My main goal was just to get this plugin out there and working reasonably well.
Let me know if you have any other ideas or run into anymore weirdness and I will try and get it in the next version.
prozaker
says:
how can i reject all of the users from the msn transport, and only allow the ones i specify?
wroot
says
in response to prozaker:
there is "Manual registration only (see the Registrations section to manage)" setting of IM Gateway, though i havent tried this
prozaker
says
in response to wroot:
hmm no, thats not what i was asking.
I already have the manual registration turned on in the gateway.
the thing i want to do is, block all of the users from the msn transport and only allow a few ones.
but i spoke with nate about it, and its a feature to be implemented in the near future.
BWright
says
in response to prozaker:
I just installed this plugin so that we could limit who our employees chat with in the company, but unfortunately everytime I set one of the source or dest. as a group, it will not work. Only if I specify a user to user will it block the packet. I am using the latest Openfire 3.4.1 and the latest plugin. There is nothing in the log other than the dropped packets for the user to user rule, nothing with regards to the user to group or group to group rules. Any ideas? Thanks.
Brian
Nate Putnam
says
in response to BWright:
Brian,
That is certainly possible. I haven't tested the Packet Filter with 3.4.x yet. It is on my list of things to do.
I'm going to start a thread on 3.4.x issues so anyone who wants to can start reporting/discussing issues they are having.
-Nate
Rob Alexander
says:
This looks great. We'd like to use it to make it so that users on our student server couldn't discover services on our employee server. However, we are using an Oracle database? What would it take to get this plugin to support Oracle?
Thanks.
Pass and Reject does the same?? I mean Reject still allows messaging.