Restrict users to group

jonas2 · August 2, 2013, 1:52pm

Hello,

how can I make sure that users from 1 group do not chat or know anything about users of another group ?

Kind regards,

Jonas.

jonas2 · August 2, 2013, 2:27pm

Let me clarify :

I have installed the plugin Packet Filter Rules as I read on this forum.

Then I have 3 rules :

Reject From:Any To:Any Packet Type:Any
Pass From:Group1 To:Group1 Packet Type:Any
Pass From:Group2 To:Group2 Packet Type:Any

So I reject everything, except from group to group.

But with the first rule in place, no one can see no one.

Without the first rule in place, anyone can see anyone.

So how do I restrict to groups ?

wroot · August 3, 2013, 10:21am

Try putting the first rule to the bottom. When the packet comes to Packet Filter, it checks if it matches the first rule. As you have set it to Any, then every packet is just dropped and no other checks are done.

As i see it, if you change the order, then say a packet from Group 1 to Group 2 comes to a filter. It won’t match rule 2. and rule 3. in your example and then it will match the Reject rule and will be dropped. Yet packets Group1->Group1 and Group2->Group2 will be matched before the Reject rule and so won’t be dropped.

jonas2 · August 3, 2013, 10:42am

Thank you for your reply.

I already tried putting the “Reject All” rule at the bottom, but then it has the same effect as putting it at the top.

It does not seem to matter where I place the “Reject All” rule…

wroot · August 3, 2013, 11:15am

Change Reject to Drop. Also after changing the rules, restart the clients. I just did a little test and it seems to work if i do first rule Group-Group pass and then Drop Any. But i have noticed that Spark takes very long to login when this rule is in place.

jonas2 · August 3, 2013, 11:40am

I did restart the clients, because I also saw that only then changes take effect.

I think I already tried changing Reject by Drop, but I will try it again.

Indeed when you make a rule to Drop/Reject All, it takes long to login.

jonas2 · August 5, 2013, 3:53pm

Changing Reject to Drop has the same effect.

Whether you put the rule on the top or the bottom of the rules, it has the same effect.

As a user you can not see or search for other persons in the same group.

It says “Unable to contact search service” and “no results where returned by the server”.

Of course you cannot see or search for users in other groups, which is good. But it is clear that it is still all or nothing.

So any more thoughts ?? Maybe another plugin that works ?

wroot · August 7, 2013, 10:03am

Drop worked fine in my tests (aside the longer login process). Of course it’s a test server and i have only logged with two test accounts and only with 2 rules in Packet Filter. There is no other plugin to achieve what you need.

jonas2 · August 7, 2013, 2:43pm

I also have a test server set up, with 4 test accounts : 2 accounts in each group.

What exactly was succesful in your test ?

Have you searched for contacts ? It does not work : you do not see the other contacts in your group.

wroot · August 11, 2013, 1:14pm

To be able to view contacts in your group (GroupA) you have to add a rule with Pass Any GroupA to GroupA.

What was successful:

I was able to see presence and chat with user from GroupA with users from GroupA and GroupB. I wasn’t able to see presence or chat with other groups.

Search needs Iq packets. So Drop Any breaks search. I have added Pass Iq Any to Any and then i was able to search and login was fast again. Of course, you will be able to search for any user, and you will be able to add them to your roster, but they will show up as offline and you won’t be able to chat with them.

So my rules look like this:

Pass Any GroupA to GroupB

Pass Any GroupB to GroupA

Pass Any GroupA to GroupA

Pass Any GroupB to GroupB

Pass Iq Any to Any

Drop Any Any to Any

Update: in bold