For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

winifred_corbet's avatar
winifred_corbet
Icon for Nimbostratus rankNimbostratus
Jun 24, 2010

Block traffic by IP address and Allow external access by domain name?

Currently we have an irule in place that allows traffic to specific URLs, by allowing the interal IP addresses only.

 

 

Now we need to allow very specifc external domains in (we cannot get an IP range), like akamai.net, how would we accomplish that?

 

 

This is what we have now:

 

 

when HTTP_REQUEST {

 

if {([matchclass [HTTP::uri] starts_with $::securePaths]) and not ([matchclass [IP::client_addr] equals $::our_internal_ips])}{

 

log local0. "Untrusted IP ([IP::client_addr]) attempting to access secure path ([HTTP::uri])"

 

discard

 

} else {

 

log local0. "Allowing connection from [IP::client_addr] to [HTTP::uri]"

 

}

 

}

 

 

application delivery
dev
devops
iRules

5 Replies

  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Jun 24, 2010
    If you wanted to check the domain of the client IP address, you'd need to get the PTR record using NAME::lookup (for pre-10.1) or RESOLV::lookup for 10.1.0+. See the wiki pages for details and examples:

     

     

    http://devcentral.f5.com/wiki/default.aspx/iRules/NAME__lookup.html

     

    http://devcentral.f5.com/wiki/default.aspx/iRules/RESOLV__lookup.html

     

     

    Aaron
  • winifred_corbet's avatar
    winifred_corbet
    Icon for Nimbostratus rankNimbostratus
    Jun 24, 2010
    We are not on V10 yet, still on v9.4.8

     

     

    So there is no way to modify this rule to "allow" specific domains? We would need to do a lookup and compare that address to a list?
  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Jun 24, 2010
    If I understand your scenario correctly, yes, you'd need to do a reverse lookup of the client IP to see what domain the IP is part of. There isn't anything within an HTTP request that you can rely on to get the DNS domain of a client. You could add that DNS check to the existing rule.

     

     

    I could see the DNS call adding latency to the connections through LTM.

     

     

    Aaron
  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Jun 24, 2010
    I was suggesting you'd need to do a DNS query to determine what domain the client IP PTR shows. You could check that return value against a datagroup to see if it's allowed.

     

     

    If that's not what you're thinking of, can you clarify what domain name you want to check (client DNS PTR record, Referer header, Host header, etc).

     

     

    Aaron