For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Net_Admin_24240's avatar
Net_Admin_24240
Icon for Nimbostratus rankNimbostratus
Jul 27, 2006

block public access allow private

I want to block access to URL's from any public address but allow access if the client initiates the connection using a private address.     For example: block access to http://mycompany.com/De...
application delivery
dev
devops
iRules
hoolio's avatar
hoolio
Icon for Cirrostratus rankCirrostratus
Jul 28, 2006
If you have separate VLANs for internal clients versus external clients, you could just create a VIP enabled on the VLAN the internal clients access the VIP over.

If the external and internal clients are connecting to the VIP over the same VLAN, you could use a pair of classes (data groups) and a rule to block requests from external client IP addresses to "protected" URI's:


class internal_hosts_networks_class  {
   network 10.0.0.0 mask 255.0.0.0
   host 192.168.0.100
}


class my_protected_uris {
   "/path1/"
   "/path2/"
}


when HTTP_REQUEST {
   if { [matchclass [HTTP::uri] starts_with $::my_protected_uris] and (not [matchclass [IP::remote_addr] equals $::internal_hosts_networks_class]) } {   
      log local0. "client: [IP::remote_addr] requested [HTTP::host][HTTP::uri] and was dropped"
      discard
   }
}

I haven't tested this, but I think it should work based on the description you gave.

Aaron