For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Anthony_7417's avatar
Anthony_7417
Historic F5 Account
Jan 30, 2009

GTM iRule to allow Wideip requests from specific addresses only - like BIND's "allow-query"

  While BIND has mechanisms like the "allow-query" statement in order to limit IPs that can query for zone data, I couldn't find a clean way to mimic this behavior for GTM wideips. There doesn't...
application delivery
dev
devops
iRules
Anthony_7417's avatar
Anthony_7417
Historic F5 Account
Feb 16, 2009

 

Yeah, you could do that, and that'd work. You could also make the destination of the topology records a pool which is set to 'drop packet' or 'return to DNS'. But since topology records are shared, if you already have a complex set of topology records configured for other wideips, it might take a lot of thought + planning to re-work the toplogy rules to include access control. And returning non-routable addresses just doesn't seem clean to me.

 

 

With the iRule, you write it once, than apply it to whatever wideip you desire. The iRule also makes it very clear what's going on, where as someone looking at a set of topology records might not understand the intent.

 

 

The iRule might be a little difficult to maintain since GTM doesn't have matchclass, which is a bit of a shame. When GTM gets matchclass, an iRule like this should be much more maintainable.