Forum Discussion

redheadontherun's avatar
redheadontherun
Icon for Nimbostratus rankNimbostratus
Jul 27, 2016

Block Source IP using a blocklist hosted on a webserver

Currently we utilize a web server to host a blocklist that some of our other security devices use to block IP addresses. It allows us to maintain 1 list for all devices. Can the F5 ASM or LTM utilize such a list...maybe through an iRule or iFile?

 

  • Hi,

     

    this list can be uploaded as an ifile. You can also do a lookup using sideband connections in irules

     

    • Yann_Desmarest's avatar
      Yann_Desmarest
      Icon for Cirrus rankCirrus

      You can create an ifile using the following command :

      tmsh create sys file ifile blacklist source-path http://hostname.com/uri

      and then update it using the following command :

      tmsh modify sys file ifile blacklist source-path http://hostname.com/uri

      The filesize for a single iFile was raised to 32Mb in 12.1.0. Prior versions limited the size to 4Mb.

    • Yann_Desmarest's avatar
      Yann_Desmarest
      Icon for Cirrus rankCirrus

      Here a small Proof of Concept.

      when HTTP_REQUEST {
          set file [ifile get domains]
          log local0. "$file"
          set domain "amazon.co.uk.security-check.ga"
          if { [string match "*$domain*" $file] } {
              log local0. "succeeded"
              HTTP::respond 200 content "ok"
          } else {
              log local0. "failed"
          }
      }
      

      Note : should test performance impact, memory consumption and stuff like that before switching something in production

  • Hi,

     

    this list can be uploaded as an ifile. You can also do a lookup using sideband connections in irules

     

    • Yann_Desmarest_'s avatar
      Yann_Desmarest_
      Icon for Nacreous rankNacreous

      You can create an ifile using the following command :

      tmsh create sys file ifile blacklist source-path http://hostname.com/uri

      and then update it using the following command :

      tmsh modify sys file ifile blacklist source-path http://hostname.com/uri

      The filesize for a single iFile was raised to 32Mb in 12.1.0. Prior versions limited the size to 4Mb.

    • Yann_Desmarest_'s avatar
      Yann_Desmarest_
      Icon for Nacreous rankNacreous

      Here a small Proof of Concept.

      when HTTP_REQUEST {
          set file [ifile get domains]
          log local0. "$file"
          set domain "amazon.co.uk.security-check.ga"
          if { [string match "*$domain*" $file] } {
              log local0. "succeeded"
              HTTP::respond 200 content "ok"
          } else {
              log local0. "failed"
          }
      }
      

      Note : should test performance impact, memory consumption and stuff like that before switching something in production