Forum Discussion

Jace_45978's avatar
Jace_45978
Icon for Nimbostratus rankNimbostratus
Aug 12, 2011

F5 iRule to reject/allow outbound access based on URI, DNS

because we have a FW that allows access outbound based on IP only, wondering if there is a way in the F5 to allow outbound access or reject access based on URI or DNS lookups.

 

example:

 

webserver behind F5 (8900 version 10.2.0) and makes a call to connect to www.yahoo.com or any www.domain.com

 

is there a way on the F5 to allow www.yahoo.com and reject any other outbound www.domain.com connections? Trying to stay away from allowing or denying based on IP addresses.

 

thanks

 

 

5 Replies

  • I haven't tested it on LTMs but on old bigips (ver 4.x) you need to set the default gateway of your server to F5 and default gateway of F5 to the FW and then use "filter" feature to allow disallow certain IPs.

     

     

    I haven't came across the equivalent of "filter" feature on LTMs yet ... in fact haven't searched it yet.
  • Colin_Walker_12's avatar
    Colin_Walker_12
    Historic F5 Account
    Yes, you can certainly do this as long as your webservers are routing through the BIG-IP. This would just require a simple iRule on whatever internal VIP the servers are routing through to inspect the HTTP request and deny based on host.

    Something like:

    
    when HTTP_REQUEST {
      if {[HTTP::host] ne "www.yahoo.com" } {
        reject
      }
    }
    

    Obviously that's very simple, but that's the basic idea.

    Colin
  • Yes the web servers default GW is the BIG-IP and currently there is a Forwarding VIP:

     

     

    virtual forwarder {

     

    l2 forward

     

    destination any:any

     

    mask 0.0.0.0

     

    }

     

     

    I should have asked if there is a way to reject all outbound www traffic and only allow certain www connections?

     

     

  • Ok so I am asking :) is there a way to reject all outbound www traffic and only allow certain www connetions? instead of just allowing all and rejecting specific?
  • Colin_Walker_12's avatar
    Colin_Walker_12
    Historic F5 Account
    If it were me, I'd create a Data Group (class) with the list of hosts that you want to allow www traffic to. I'd then write an iRule that looks like:

    
    when HTTP_REQUEST {
      if {!([class match [HTTP::host] eq myDataGroup])} {
        reject
      }
    }
    

    This would prevent any requests bound for anything that's not contained in that data group.

    Make sense?

    Colin