Forum Discussion

jlb4350's avatar
jlb4350
Icon for Cirrus rankCirrus
Oct 23, 2023

Block outbound connections via DNS rather than server_connected

I have an iRule that calls on a datagroup to block outbound traffic from my office to certain countries. The iRule is working, but I am using iRule event "server_connected" and when that occurs it ju...
devops
jlb4350's avatar
jlb4350
Icon for Cirrus rankCirrus
Oct 23, 2023

Interesting. Thank you for that suggestion. So just replace SERVER_CONNECTED with LB_SELECTED in the iRule? Could you elaborate some on what LB_SELECTED does? The page is quite vague about how it works...

Thanks again for your help.

  • Niels_van_Sluis's avatar
    Niels_van_Sluis
    Icon for MVP rankMVP
    Oct 23, 2023

    In the LB_SELECTED event you can get information about which pool member is selected and take some action on it. In this event you can evaluate the results of LB::server. You can use this to replace IP::server_addr in your current iRule. See the first iRule example in the article below.

    https://clouddocs.f5.com/api/irules/LB__server.html

     

    • jlb4350's avatar
      jlb4350
      Icon for Cirrus rankCirrus
      Oct 23, 2023

      I guess I didn't specify, but my f5 is acting as a firewall. I didn't set it up this way, but it is performing the traffic filtering, not a firewall. Would LB_SELECTED still apply in this case? I just want to drop the traffic before connecting to the remote server rather than after it connects. Would I use HTTP_REQUEST rather than  SERVER_CONNECTED? If I should still use LB_SELECTED, would you mind editing my rule to show an example?

      Sorry for all the questions, I'm still trying to get my head wrapped around how iRules work, especially with the way the system is configured. I really appreciate your time.

      • Niels_van_Sluis's avatar
        Niels_van_Sluis
        Icon for MVP rankMVP
        Oct 24, 2023

        Try creating a new virtual server, where it's safe to experiment with the iRule. You can try the iRule below.

        when LB_SELECTED {
  log local0. "LB_SELECTED: debug"
  
  if ([class match [whereis [LB::server addr] country] equals "OutboundBlacklist"])}{
    log local0. "LB_SELECTED: [LB::server addr] found on OutboundBlacklist -> reject" 
    reject
  }
}

when SERVER_CONNECTED {
  log local0. "SERVER_CONNECTED: debug"
  
  if {([class match [whereis [IP::server_addr] country] equals "OutboundBlacklist"])}{
    log local0. "SERVER_CONNECTED: [IP::server_addr] found on OutboundBlacklist -> reject"
    reject
  }
}

         As you can see the iRule contains some extra logging options. You should see the output in /var/log/ltm. Try sending some traffic through your test virtual server and check the logs. 

        About the HTTP_REQUEST event. When this event is triggered, there is no information about the server side server IP-address yet. Remember you have the client side client, client side server, server side client and server side server IP-addresses. Your action needs to to match the server side server IP-address.