For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Charles_Harris's avatar
Charles_Harris
Icon for Nimbostratus rankNimbostratus
Feb 02, 2007

Internal Access Control via iRules.

Hi,

 

 

We have a requirement to control internal access to one of our services hosted behind a local VIP, I've mangled together the following (working) iRule but wondered if an expert could cast an eye and let me know of potential problems...

 

 

My concern is that the authorized client class (TST_ACL_DATA) could become very large (1000+) and I wondered if there was a better way of achieving the same result.

 

 

Thanks in advance!

 

 

-=ChaZ=-

 

 

-------------SNIP-------------

 

 

class TST_ACL_DATA {

 

"10.0.0.1"

 

"10.0.0.2"

 

"10.0.0.3"

 

}

 

 

 

when CLIENT_ACCEPTED {

 

 

if {![matchclass [IP::remote_addr] eq $::TST_ACL_DATA]} {

 

log "Unauthorized connection attempted from [IP::remote_addr]"

 

reject

 

} else {

 

log "Client Accepted [IP::remote_addr]"

 

}

 

}
application delivery
dev
devops
iRules

2 Replies

  • Charles_Harris's avatar
    Charles_Harris
    Icon for Nimbostratus rankNimbostratus
    Feb 09, 2007
    Hi Colin,

     

     

    Thanks again for the comments, I did only discover the filters after playing with this rule, the filter setup looks messy by comparison (there are approx 200 allowable IP's) and less easy to maintain. It is however part of the 'built in' functionality so I assume it will be as fast if not quicker than the iRule although I'm not brave enough to benchmark each approach.

     

     

    Cheers!

     

     

    -=ChaZ=-