Packet Filter Plugin 3.0.1

Version 3.0.1

Overview

Bug fix release. Main issues addressed :

  • Ensure 3.7.x compatibility.
  • Group performance issue. Previouslly an uncached list of group members was accessed. This fix should greatly improve performance of ldap group rules.
  • Code cruft removal.

Installation

Copy packetFilter.jar into the plugins directory of your Openfire installation. The plugin will then be automatically deployed. To upgrade to a new version, copy the new packetFilter.jar file over the existing file.Currently only the following databases are supported :

  • Postgresql
  • Mysql
  • MSSQL
  • Hsqldb (embedded)
  • Oracle - I created a schema for this and put it in the database/extra subdirectory of the plugin. I can’t get the schema to automatically apply itself when the plugin deploys, it has to be deployed manually.

Configuration

The Packet Filter plugin can be configured under “Server”-“Server Settings”-“Packet Filter Rules”.

Using the Plugin - Creating Rules

Actions

Actions come in 3 types Pass, Drop and Reject.

  • Pass - This will allow the packet to be delivered normally.
  • Drop - This will silently drop the packet without notifying the sender.
  • Reject - This rule tries to notify the person who sent it that their message was rejected.
    There are a couple issues with this. First, not all clients handle forbidden packet
    condition. The notification of users that their packet was rejected is therefore pretty
    spotty, your mileage may vary. This rule has 2 configurable options that can be set in
    the system properties screen :
      1. pf.rejectMessage : Defaults to “Your message was rejected by the packet filter”.
      1. pf.rejectSubject : Defaults to “Rejected”
      1. pf.From : Defaults to “packetFilter”.

Disable

This allows you to quickly disable a rule without deleting it. Disabled rules will still appear on the main rule page but will have a strike through like so :

Packet Type

This specifies what type of packets you want to disable your choices are :

  • Message - Regular old message.
  • Presence - Presence Info.
  • IQ - Used to transfer most other data.
  • MUC - Multi User Chat, chat rooms.
  • MUC Private Message - A private message within a chat room.
  • Any - All of the above

From

This specifies the source base JID. Currently resource specific rules aren’t supported. The options for specifying a source are :

  • Any - Just like it sounds, if the source is anything.
  • User - These are all the local users defined on your Openfire server, all user accounts.
  • Group - All groups defined on your server. The source will match if the sender is a member of the specified group.
  • Component - This allows you to choose from the services running on the server.
  • Other - This will let you specify a free form JID. (test@example.com). One wild card can be specified to do a whole domain e.g. *@example.com.

To

This specifies the destination base JID. The options for selecting the destination JID are the same as above.

Log

This prints a message to the info.log when the rule is executed. This is recommend only for trouble shooting as it can fill up the logs pretty quickly in production environments. Some example output :Rejecting packet from bart@nate-putnams-computer.local/Adium to lisa@nate-putnams-computer.local/Psi

Description

Leave yourself a note so you can remember why you wrote the rule in the first place.

Changing Rule Order

The first rule that matches an incoming packet will be executed. For example consider the following rules:Here we don’t want any of the Simpson’s talking to each other so every message from members of the Simpson group to each other are dropped. However, Marge and Homer should be able to talk to each other. To accomplish this rules allowing Homer to send message packets to Marge and vice versa are placed before the drop rule. New rules are automatically appended to the rule list. Rules can be moved at anytime using the arrows in the UI. When a rule is moved the changes take effect immediately.

Known Issues