Packet Filter Plugin

Version 1.0a

Overview

The packet filter plugin allows you to create rules that will block or reject certain packets to the server.

Installation

Copy packetFilter.jar into the plugins directory of your Openfire installation. The plugin will then be automatically deployed. To upgrade to a new version, copy the new packetFilter.jar file over the existing file.

Currently only the following databases are supported :

  • Postgresql

  • Mysql

  • MSSQL

  • Hsqldb (embedded)

Configuration

The Packet Filter plugin can be configured under “Server”-“Server Settings”-“Packet Filter Rules”.

Using the Plugin - Creating Rules

Actions

Actions come in 3 types Pass, Drop and Reject.

  • Pass - This will allow the packet to be delivered normally.

  • Drop - This will silently drop the packet without notifying the sender.

  • Reject - This rule tries to notify the person who sent it that their message was rejected.
    There are a couple issues with this. First, not all clients handle forbidden packet
    condition. The notification of users that their packet was rejected is therefore pretty
    spotty, your mileage may vary. This rule has 2 configurable options that can be set in
    the system properties screen :

    1. pf.rejectMessage : Defaults to “Your message was rejected by the packet filter”.
    1. pf.rejectSubject : Defaults to “Rejected”

Disable

This allows you to quickly disable a rule without deleting it. Disabled rules will still appear on the main rule page but will have a strike through like so :

Packet Type

This specifies what type of packets you want to disable your choices are :

  • Message

  • Presence

  • IQ

  • Any - All of the above

From

This specifies the source base JID. Currently resource specific rules aren’t supported. The options for specifying a source are :

  • Any - Just like it sounds, if the source is anything.

  • User - These are all the local users defined on your Openfire server, all user accounts.

  • Group - All groups defined on your server. The source will match if the sender is a member of the specified group.

  • Other - This will let you specify a free form JID. (test@example.com)

To

This specifies the destination base JID. The options for selecting the destination JID are the same as above.

Log

This prints a message to the info.log when the rule is executed. This is recommend only for trouble shooting as it can fill up the logs pretty quickly in production environments. Some example output :

Rejecting packet from bart@nate-putnams-computer.local/Adium to lisa@nate-putnams-computer.local/Psi

Description

Leave yourself a note so you can remember why you wrote the rule in the first place.

Changing Rule Order

The first rule that matches an incoming packet will be executed. For example consider the following rules:

Here we don’t want any of the Simpson’s talking to each other so every message from members of the Simpson group to each other are dropped. However, Marge and Homer should be able to talk to each other. To accomplish this rules allowing Homer to send message packets to Marge and vice versa are placed before the drop rule. New rules are automatically appended to the rule list. Rules can be moved at anytime using the arrows in the UI. When a rule is moved the changes take effect immediately.

or download the 70MB Quicktime file
packetFilter.jar (46623 Bytes)
packetfilter_src.tar.gz (38598 Bytes)

Pass and Reject does the same?? I mean Reject still allows messaging.

i thought Spark should handle forbidden packet conditions.

What operating system are you using. I’ve been able to reproduce this on Windows. Since I did all my dev on OSX I didn’t run into this. I don’t think Spark does handle error packets, it may do something with them, but it doesn’t notify the user that there was a packet error like PSI and Adium do. I’ll dig into the Windows issue more.

Is sourcecode somewhere available?

yes, i’m using Windows.

I’ve been looking into this more and it appears to be a OF 3.3.x vs. OF 3.4.x problem. I’m going to try and create a reject rule that will work in both.

@zdanek, I’ll try and attach the source later today.

I’ve fixed the reject rule so it should work in both 3.3.x and the 3.4.x versions of Openfire. I’ve also attached the source. Enjoy!

Great. I even get a rejection message in Spark. Though i dont like it’s a separate broadcast, so novice user can miss it or dont understand what was rejected.

So maybe this could be sent as a message? Or maybe this broadcast should contain username, time or maybe whole message text.

Broadcast title in Spark is “Broadcast from Broadcast” and message itself looks like “(6:37 AM) Broadcast: Your message was rejected”, though i have set custom pf.From and pf.rejectSubject properties. Maybe it should use that.

Ya. I liked the functionality the reject rule had before better, it worked more how you would expect. There was some weirdness caused by the ClientSession refactoring I think that cause this rule to stop working. I’m going to rework the rule soon and come up with something more robust. My main goal was just to get this plugin out there and working reasonably well.

Let me know if you have any other ideas or run into anymore weirdness and I will try and get it in the next version.

there is “Manual registration only (see the Registrations section to manage)” setting of IM Gateway, though i havent tried this

I just installed this plugin so that we could limit who our employees chat with in the company, but unfortunately everytime I set one of the source or dest. as a group, it will not work. Only if I specify a user to user will it block the packet. I am using the latest Openfire 3.4.1 and the latest plugin. There is nothing in the log other than the dropped packets for the user to user rule, nothing with regards to the user to group or group to group rules. Any ideas? Thanks.

Brian

Brian,

That is certainly possible. I haven’t tested the Packet Filter with 3.4.x yet. It is on my list of things to do.

I’m going to start a thread on 3.4.x issues so anyone who wants to can start reporting/discussing issues they are having.

-Nate

This looks great. We’d like to use it to make it so that users on our student server couldn’t discover services on our employee server. However, we are using an Oracle database? What would it take to get this plugin to support Oracle?

Thanks.

Hello everyone

I’m a rookie with the theme of openfire and spark I wonder if I can create some Packet Filter with oracle or is required to use the bases stated in the document.

The problem is that the company I am currently only use oracle.

Thanks

Is there a way to reject traffic IP to IP using “Other JID” ??