mod_filter - Flexible Filtering by Server Policy

Name: mod_filter
Purpose: Flexible filtering by server policy
Author: Magnus Henoch
Type: Module
Requirements: ejabberd (works in ejabberd 0.9.8, 2.0.x and 2.1.x)
Download: Source code: Knobo's github repo (for ejabberd 13+).
Source code: Bugzilla.
Binary: mod_filter-216-r12b5.zip (2010-05-20 version for ejabberd 2.1.6 with Erlang/OTP R12B-5).

This module allows the admin to specify packet filtering rules using ACL and ACCESS.

Install

  1. Download the updated mod_filter.erl from Bugzilla and copy to ejabberd/src.
  2. Add the module to the list of modules on ejabberd.cfg:
    {modules, [
      ...
      {mod_filter, []},
      ...
    ]}.
  3. Add to ejabberd.cfg the default ACCESS configuration:
    {access, mod_filter, [{allow, all}]}.
    {access, mod_filter_presence, [{allow, all}]}.
    {access, mod_filter_message, [{allow, all}]}.
    {access, mod_filter_iq, [{allow, all}]}.
    
    Then modify those ACCESS rules to your needs. You can see examples below.
  4. Recompile and restart ejabberd.

Configuration examples

The configuration of rules is done using ejabberd's ACL and ACCESS, so you should also study the corresponding section on ejabberd guide. This are examples that may help you to understand how it works.

Example 1

%% Admins can send anything.  Others are restricted in various ways.
{access, mod_filter, [{allow, admin},
 		      {restrict_local, local},
 		      {restrict_foreign, all}]}.

%% Local non-admin users can only send messages to other local users.
{access, restrict_local, [{allow, local},
			  {deny, all}]}.
%% Foreign users can only send messages to admins.
{access, restrict_foreign, [{allow, admin},
 			    {deny, all}]}.

Example 2

On this example, the users of a private vhost (example3.org) can only chat with themselves, so that particular vhost will have no connection to the exterior. The other vhosts on the server are completely unrestricted. The administrators are also unrestricted.
% This ejabberd server has three virtual hosts
{hosts, ["example1.org", "example2.org", "example3.org"]}.

% This ACL will match any user or service (MUC, PubSub...) hosted on example3.org
{acl, ex3server, {server_glob, "*example3.net"}}.

% The main mod_filter rule allows any admin, but restricts example3 and the rest of packets
{access, mod_filter, [{allow, admin},
                      {restrict_ex3, ex3server},
                      {restrict_nonex3, all}]}.

% This rule, which applies to packets sent from Ex3 non-admin users,
% allows packets sent to Ex3 server (packets internal to the vhost) and denies anything else.
{access, restrict_ex3, [{allow, ex3server},
                        {deny, all}]}.

% This rule, which applies to the rest of packets (the ones that are not sent from Ex3),
% allows all packets to admins (allowing replies to stanzas from Ex3 admins),
% denies all other access to Ex3, and allows access to anything else.
{access, restrict_nonex3, [{allow, admin},
                           {deny, ex3server},
                           {allow, all}]}.

Example 3

Allow just some MSN users (romeo and juliet) using the transport msn.example.com to comunicate with the users of the server.
{acl, good_msn_users, {user, "romeo%hotmail.com", "msn.example.com"}}.
{acl, good_msn_users, {user, "juliet%hotmail.com", "msn.example.com"}}.
{acl, good_msn_users, {user, "", "msn.example.com"}}.
{acl, msn_users, {server_glob, "msn*"}}.

{access, mod_filter, [
  % Filter incoming messages; allow only good messages
  {allow, good_msn_users},
  {deny, msn_users},
  % Filter the rest, including outgoing messages
  {filter_msn, all}
]}.

{access, filter_msn, [
  % Users can send messages to good MSN users
  {allow, good_msn_users},
  % but not to other MSN users
  {deny, msn_users},
  % All non-MSN traffic is allowed
  {allow, all}
]}.

Example 4

This server has two virtual hosts, one is typical and the other has only anonymous users. The anonymous users cannot send or receive presence stanzas from outside their vhost.
{hosts, ["localhost", "anon.localhost"]}.

{auth_method, [internal]}.
{host_config, "anon.localhost", [{auth_method, anonymous},
                                 {anonymous_protocol, both}]}.

{acl, anon_user, {server_glob, "*anon.localhost"}}.

{access, mod_filter, [{allow, all}]}.

{access, mod_filter_presence, [{allow, admin},
                      {restrict_anon, anon_user},
                      {restrict_no_anon, all}]}.
{access, restrict_anon, [{allow, anon_user}, {deny, all}]}.
{access, restrict_no_anon, [{allow, admin}, {deny, anon_user}, {allow, all}]}.

{access, mod_filter_message, [{allow, all}]}.
{access, mod_filter_iq, [{allow, all}]}.

Example 5

This server has three virtual hosts. The first and second are incommunicated between them. The admins do not have such restriction.

{hosts, ["domain1.localhost", "domain2.localhost", "domain3.localhost"]}.

{acl, domain1, {server_glob, "*domain1.localhost"}}.
{acl, domain2, {server_glob, "*domain2.localhost"}}.

{access, mod_filter, [{allow, admin},
                      {restrict_dom1, domain1},
                      {restrict_dom2, domain2},
                      {allow, all}]}.
{access, mod_filter_presence, [{allow, admin},
                      {restrict_dom1, domain1},
                      {restrict_dom2, domain2},
                      {allow, all}]}.
{access, mod_filter_message, [{allow, admin},
                      {restrict_dom1, domain1},
                      {restrict_dom2, domain2},
                      {allow, all}]}.
{access, mod_filter_iq, [{allow, admin},
                      {restrict_dom1, domain1},
                      {restrict_dom2, domain2},
                      {allow, all}]}.

{access, restrict_dom1, [{allow, domain1},
                        {deny, all}]}.
{access, restrict_dom2, [{allow, domain2},
                        {deny, all}]}.

Comments

This module has been superficially tested. Its performance impact is so far unknown. It is a bit tricky to configure.

Have you tried this module? Did it work well for you? Did you do any benchmarks to see how it affects performance? Is there something that should be changed?

In any case, I would like to know. My Jabber ID is legoscia@jabber.cd.chalmers.se.

Related Links

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Update for newer version of ejabberd

give me muc_filter.erl to

give me muc_filter.erl
to filter messages from unaffliated users through Jabber ID

:)

Help with filtering

As i have mention in my previous post, i need to set filter between users. I was trying mod_filter, but from unknown reason, it doesn't work properly on my server. The problem seams very strange for me, especially, that no one before report such a problem (problem: enabling mod_filter in ejabberd.cfg - filtering works, but block all other services, enabling mod_filter with acl internal_services - cause that no filtering is made). What is wrong with my configuration (see)

The main idea is: Two vhosts, example.com and other.com. Example.com can have full access to all users and services, but other.com can have access ONLY to example.com (no communication among other.com is allow).

Is it possible to set this configuration in any other way?

mod_filter and service discovery

Hi

I'm trying to configure Ejabber server, with internal users group and customers group (external). I found mod_filter as a great solution to set rules for each group. One of the rule is that the external users cannot interact with other external users and can interact with internal users. Internal users can interact with everybody. I set it this way:

{acl, internal, {user_glob, "ga*","example.com"}}.
{acl, external, {user_glob, "test*","example.com"}}.

%access for mod_filter

{access, mod_filter, [{allow, admin},
{allow, internal},
{restrict_ext,external}]}.

%This rule applies to the packets sent from 'external' non-admin users,
%allows packets send to 'internal' server and denies anything else.
{access, restrict_ext, [{allow,internal},
{deny,all}]}.

This setting works, but unfortunately, appear other problem. When the mod_filter is enabled, other services(MUC, vcard etc...), for all users are not available. I use PSI client. After entering Service Discovery, there is no services to use.

Could someone help me please??
Do anybody know where is my mistake??

Thank you

Maybe the packets sent by

Maybe the packets sent by the services are blocked by mod_filter. If that's the problem, a possible solution may look as:

{acl, internal_services, {server, "*.example.com"}}.

{access, mod_filter, [
  {allow, admin},
  {allow, internal},
  {allow, internal_services},
  {restrict_ext,external}]}.

Note that I didn't try it. Maybe the proposed ACL is not exactly correct.

Filter

Hi..
i use ejabberd 2.1.13
i was try mod_shit to filter bad msg but not work!
i want config ejabberd with mod_filter to work with isida bot and filter conferences...
"filter messages from unaffliated users through Jabber ID"
like jabber.ru
what should I do?

Thank you.

muc mod filter

this is not mod_filter but is editing mod_muc_room.beam or known what is you system server for a mod defrinds ejabberd-2.1.11 or ejabberd-2.1.13

Still

I have tried as u propose, but seams like it doesn't solve the problem. I find out that service discovery is blocked even if all the acl and accesses are comment. There is one thing i did not like in the installation instruction: there is written to recompile ejabberd and i only compile the module file. Do u think that could cause this problem?

Restricting msn user on other host

Hi.. Everybody... please help me out...

I want to allow some user of "msn" on other host... ("example.net")

I have two host "example.com" or "example.net"

following thing i had applied...in the .cfg file.

{acl, hosta, {server_glob, "*example.com"}}.
{acl, hostb, {server_glob, "*example.net"}}.

{acl, good_msn_users, {user, "romeo%hotmail.com", "msn.example.com"}}.
{acl, good_msn_users, {user, "juliet%hotmail.com", "msn.example.com"}}.
{acl, good_msn_users, {user, "", "msn.example.com"}}.
{acl, msn_users, {server_glob, "msn*"}}.

% The main mod_filter ristrict hostb but allow all the trafic and hosta
{access, mod_filter, [{restrict_b, hostb},
{filter_c, all}]}.

% Only allow good msn users on hostb and other trafic allow.
{access, restrict_b, [{allow, good_msn_users},
{deny, msn_users},
{allow, all}]}.

{access, filter_c, [{restrict_a, hostb},
{allow, all},
{allow, good_msn_users},
{allow, msn_users}]}.

{access, restrict_a, [{allow, good_msn_users},
{deny, msn_users}]}.

please if any find solution for this thing..

please reply.....Thanks.

Nesting?

chirayu wrote:
{access, filter_c, [{restrict_a, hostb},
                      {allow, all},
                      {allow, good_msn_users},
                      {allow, msn_users}]}.

{access, restrict_a, [{allow, good_msn_users},
                      {deny, msn_users}]}.

I'm not an ACL expert, but I think nesting rules in that way won't work. You'll have to put the restrict_a rules directly in filter_c or something. (I'm not really sure that would make the logic fit right, though…)

allow some user of msn on hostb only but hosta can get all user

Thanks for your reply ... i have did following thing in my cfg file..
%This ACL will match any user or host
{acl, hosta, {server_glob, "*example.com"}}.
{acl, hostb, {server_glob, "*example.net"}}.

{acl, good_msn_users, {user, "romeo%hotmail.com", "msn.example.com"}}.
{acl, good_msn_users, {user, "juliet%hotmail.com", "msn.example.com"}}.
{acl, good_msn_users, {user, "", "msn.example.com"}}.
{acl, msn_users, {server_glob, "msn*"}}.

% The main mod_filter rule allows all the host except hostb.
{access, mod_filter, [{restrict_b, hostb},
{filter_c, all}]}.

% Only allow good users on hostb and allow all the user on hosta.
{access, restrict_b, [{allow, good_msn_users},
{deny, msn_users},
{allow, all}]}.

{access, filter_c, [{allow, good_msn_users},
{allow, msn_users},
{allow, all}]}.

This thing working for me.. but i can restrict only outgoing msn but i cannot able to stop incoming msg on hostb.
For hosta its fine i can get all the user and chat with them thats ok..

But i want to allow only some user of "msn" on hostb. is it possible.....please reply me...

ı cant get MUC work with mod_filter correctly

Guys hi,

I am tryıng to connect to my MUC at conference.myserver.org

but ı am also using mod_filter which allows only admins can send and get messages and also it only allows admins to see the presence of users.

this however keeps me away from entering my clients to the MUC as soon as ı allow every one to message and everyone to share presence it work can anyone help me on this ?

my modfilter config is as fallows

{acl, ex3server, {server_glob, "*myserver.org"}}.

{access, mod_filter_presence, [{allow, admin},
{restrict_ex3,ex3server}
]}.

{access, mod_filter_iq, [{allow, admin},

{restrict_ex3, ex3server}]}.

{access, mod_filter_message, [{allow, admin},

{restrict_ex3,ex3server}]}.

{access, mod_filter, [{allow,admin},

{restrict_ex3,ex3server}]}.

{access, restrict_ex3, [{allow, admin},
{deny, all}]}.

i would appreciate anyhelp.

Syndicate content