Enable/disable Management UI from command line

"bigpipe self help" should show you the syntax you need.

 

 

"bigpipe self 1.1.1.1 allow none" would block everything. otherwise, you need "protocol/port"

In fact, there are 2 public IP addesses, the second one is the floating.

 

 

I'm afraid I'm gonna break something if I allow none.

 

So I'll have configure manually on both self-ip services listed here https://support.f5.com/kb/en-us/solutions/public/7000/300/sol7317.html and then, just remove/add the allow the 443 when needed, correct ?

What are you using your public IPs for? Are they default gateways for anything? Are you using them for config sync or mirroring?

We have 2 BigIP on 2 different locations for redundancy, each one has a public ip address, and the floating one.

 

 

The config sync is on a different network, but one of our network failover unicast are using the public IP.

 

 

We use the floating address as a default gateway for our web servers in a pool that use a VIP (the VIP, the external and internal VLAN are on the same subnetwork)

 

 

I'm afraid if I allow none on those IP, my web servers won't be able to use the gateway any more for 80 and 443.

Posted By Bastien on 02/21/2011 12:58 PM

 

We have 2 BigIP on 2 different locations for redundancy, each one has a public ip address, and the floating one.

 

 

The config sync is on a different network, but one of our network failover unicast are using the public IP.

 

 

We use the floating address as a default gateway for our web servers in a pool that use a VIP (the VIP, the external and internal VLAN are on the same subnetwork)

 

 

I'm afraid if I allow none on those IP, my web servers won't be able to use the gateway any more for 80 and 443.

 

http://support.f5.com/kb/en-us/prod...821011358

 

 

 

The self-IP is being used as the gateway but is not the destination for your traffic. As an example, are you currently doing allow all or allow default? If you're allowing default, port 80 isn't allowed.

 

Allow default, so I should custon the lockdown to the exact same protocols by default except for the HTTPS, on both self-ip and floating, then as soon as I need the GUI, I connect with ssh and do a 'b self xxxx allow https add' and then same thing with delete, correct ?

I'm bookmarking this so I can test it on my own units tomorrow.

It looks like you can't be set as using defaults if you want to remove HTTPS via "b self 1.1.1.1 allow tcp 443 delete"

So, I wonder if the best way isn't to manually edit the config file.

In bigip_base.conf, your self IP likely looks like this:

net self 1.1.1.1/24 {
    allow-service default
    vlan internal
}

The best thing to do might be to change it to this and then load the config file:

net self 1.1.1.1/24 {
    allow-service {
        ospf:any
        tcp:161
        tcp:22
        tcp:4353
        tcp:53
        udp:1026
        udp:161
        udp:4353
        udp:520
        udp:53
    }
    vlan internal
}

I think that's tmsh output which is slightly different than how the bigip_base.conf syntax looks. You should be able to set the config through bigpipe using syntax like this:

 

 

b self 192.168.44.11 {allow none}

 

b self 192.168.44.11 {allow default}

 

b self 192.168.44.11 {allow all}

 

 

This changes the config running in memory. You'd want to save the config to file using 'b base save'.

 

 

I haven't tested to see how to specify individual services, but I think it should be possible.

 

 

Aaron

Posted By hoolio on 02/24/2011 09:19 AM

 

I think that's tmsh output which is slightly different than how the bigip_base.conf syntax looks. You should be able to set the config through bigpipe using syntax like this:

 

 

b self 192.168.44.11 {allow none}

 

b self 192.168.44.11 {allow default}

 

b self 192.168.44.11 {allow all}

 

 

This changes the config running in memory. You'd want to save the config to file using 'b base save'.

 

 

I haven't tested to see how to specify individual services, but I think it should be possible.

 

 

Aaron

 

I copied and pasted my actual bigip_base.conf syntax.

 

 

If he's currently using allow default, he can't add or remove anything without changing that first. Not sure why, but I got an error when trying.