Forum Discussion

jlb4350's avatar
Icon for Cirrus rankCirrus
Oct 23, 2023

Block outbound connections via DNS rather than server_connected

I have an iRule that calls on a datagroup to block outbound traffic from my office to certain countries. The iRule is working, but I am using iRule event "server_connected" and when that occurs it just drops the connection. However, I would like to drop this connection before the actual connection to the remote server occurs. The concern being that there is a TCP handshake that occurs with the remote server using this iRule. Is there a way to set this up by using a DNS query or a geolocate function and if the query returns that the server is in one of the countries in the blacklist datagroup, the connection is denied/rejected?

Here is my current iRule with "OutboundBlackList" being the datagroup with the list of blocked countries.


  if {([class match [whereis [IP::server_addr] country] equals "OutboundBlacklist"])}{


Thank you for any help you can provide! 

6 Replies

    • jlb4350's avatar
      Icon for Cirrus rankCirrus

      Interesting. Thank you for that suggestion. So just replace SERVER_CONNECTED with LB_SELECTED in the iRule? Could you elaborate some on what LB_SELECTED does? The page is quite vague about how it works...

      Thanks again for your help.

      • In the LB_SELECTED event you can get information about which pool member is selected and take some action on it. In this event you can evaluate the results of LB::server. You can use this to replace IP::server_addr in your current iRule. See the first iRule example in the article below.