For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Jonathan_Robins's avatar
Jonathan_Robins
Icon for Nimbostratus rankNimbostratus
Aug 26, 2010

GTM iRule to block certain IPs DNS Query of a WideIP

Hello   I need to stop a GTM Wide IP from responding to client IPs unless they are in a whitelist.   Ideally the GTM would respond with an NSDOMAIN rather than drop the request.     I am...
application delivery
dev
devops
iRules
Jonathan_Robins's avatar
Jonathan_Robins
Icon for Nimbostratus rankNimbostratus
Aug 27, 2010
I had to make one further change as for some reaon the IP:addrr match was not matching a client ip to a subnet/mask.

 

After trying many combinations of "address/mask", "address mask 255.255.0.0" etc. I found that I had to put the mask on the client_addr end not the subnet end.

 

 

So my final working setup is:

 

 

when DNS_REQUEST {

 

if {![IP::addr [IP::client_addr]/20 equals "X.Y.Z.0"]} {

 

if {![IP::addr [IP::client_addr]/16 equals "172.29.0.0"]} {

 

cname "somewhere.else"

 

}

 

}

 

}