Forum Discussion
Jace_45978
Aug 12, 2011Nimbostratus
F5 iRule to reject/allow outbound access based on URI, DNS
because we have a FW that allows access outbound based on IP only, wondering if there is a way in the F5 to allow outbound access or reject access based on URI or DNS lookups.
example:
webserver behind F5 (8900 version 10.2.0) and makes a call to connect to www.yahoo.com or any www.domain.com
is there a way on the F5 to allow www.yahoo.com and reject any other outbound www.domain.com connections? Trying to stay away from allowing or denying based on IP addresses.
thanks
- Muhammad_64435NimbostratusI haven't tested it on LTMs but on old bigips (ver 4.x) you need to set the default gateway of your server to F5 and default gateway of F5 to the FW and then use "filter" feature to allow disallow certain IPs.
- Colin_Walker_12Historic F5 AccountYes, you can certainly do this as long as your webservers are routing through the BIG-IP. This would just require a simple iRule on whatever internal VIP the servers are routing through to inspect the HTTP request and deny based on host.
when HTTP_REQUEST { if {[HTTP::host] ne "www.yahoo.com" } { reject } }
- Jace_45978NimbostratusYes the web servers default GW is the BIG-IP and currently there is a Forwarding VIP:
- Jace_45978NimbostratusOk so I am asking :) is there a way to reject all outbound www traffic and only allow certain www connetions? instead of just allowing all and rejecting specific?
- Colin_Walker_12Historic F5 AccountIf it were me, I'd create a Data Group (class) with the list of hosts that you want to allow www traffic to. I'd then write an iRule that looks like:
when HTTP_REQUEST { if {!([class match [HTTP::host] eq myDataGroup])} { reject } }
Recent Discussions
Related Content
DevCentral Quicklinks
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com
Discover DevCentral Connects