For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Jonathan_Robins's avatar
Jonathan_Robins
Icon for Nimbostratus rankNimbostratus
Aug 26, 2010

GTM iRule to block certain IPs DNS Query of a WideIP

Hello   I need to stop a GTM Wide IP from responding to client IPs unless they are in a whitelist.   Ideally the GTM would respond with an NSDOMAIN rather than drop the request.     I am...
application delivery
dev
devops
iRules
Jonathan_Robins's avatar
Jonathan_Robins
Icon for Nimbostratus rankNimbostratus
Aug 27, 2010

Thanks for the reply Bhattman, I now get the following error:

 

01070151:3: Rule [GAM_block_non_intranet_dns_query] error: line 1: [undefined procedure: matchclass] [matchclass [IP::remote_addr] eq $::ip_allowed_datagroup]

 

 

So I assume that the matchclass can not be used within a when DNS_REQUEST?

 

 

I have managed to get it working using multiple if statements using ip::addr to test against all my internal subnets (I'm trying to prevent a reply to an IP unless it is from my inside networks)..

 

 

if {![IP::addr [IP::remote_addr] equals 10.0.0.0/8]}{

 

if {![IP::addr [IP::remote_addr] equals 172.29.0.0/16]}{

 

if {![IP::addr [IP::remote_addr] equals 172.30.0.0/16]}{

 

drop

 

}

 

}

 

}

 

 

There must be a more elegant / efficient way of doing this?

 

 

Also rather than drop I want to send an NXDOMAIN is this possible?

 

 

--Jonathan