Forum Discussion
vmoseley_96930
Nimbostratus
NimbostratusAccess by reverse dns lookup
Hi, I'm currently using a very simple irule on a virtual server for controlling access via a network access APM access profile. when CLIENT_ACCEPTED { if {not [matchc...
hoolio
Cirrostratus
CirrostratusHi Vaughan,
I used NAME::lookup in the example below as there was a bug with reverse lookups and RESOLV::lookup. Now that that bug has been fixed in 10.2.1HF1, you could change it to RESOLV::lookup.
http://devcentral.f5.com/wiki/default.aspx/iRules/Block_requests_by_reverse_DNS_record.html
Aaron
Pete_A
Altocumulus
AltocumulusI know this is over a decade too late - but I've recently had the issue of having a support company with a dynamic DNS record wanting to be able to access the login URL of our website. We have a list of static IPs in IPS_OF_MANAGEMENT_HOSTS - but they wanted to add their DYNAMIC.DNS.NAME entry as well.
It may not be pretty - but here's what I did, hopefully it'll help someone (note that I put the calculation as far into the process as possible to minimise the chance of it running):
when HTTP_REQUEST {
switch -glob [string tolower [HTTP::host]] {
"example.com" {
switch -glob [string tolower [HTTP::uri]] {
"/logonpage*" {
if { [class match [IP::client_addr] equals IPS_OF_MANAGEMENT_HOSTS] } {
pool BACKEND_SERVERS
} else {
set IPlookup [RESOLVER::summarize [RESOLVER::name_lookup "/Common/rr" DYNAMIC.DNS.NAME a] ]
set match "0"
foreach result $IPlookup {
if { [IP::client_addr] equals [lindex $result 4] } {
set match "1"
}
}
if {$match == 1} {
pool BACKEND_SERVERS
} else {
HTTP::respond 403 content "Access denied"
return
}
}
}
default {
pool BACKEND_SERVERS
}
}
}
}
}Note that you will've had to define your resolvers in TMSH in order to refer to it here. In theory it'll work where DNS returns multiple entries - although I haven't tested it.
