For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Lee_Sutcliffe's avatar
Lee_Sutcliffe
Icon for Nacreous rankNacreous
Oct 01, 2012

IP Forwading VIP - Access List

Hi,

I've put together the following iRule to prevent two subnets communicating via the virtual forwarding VIP.

We have several VLANS behind the LTM and two of which cannot communicate with each other for compliance reasons. We use a forwarding VIP so that web servers can make out bound calls and we can connect to each individual web server over a WAN connection for testing purposes.

I did consider changing to using SNATs and removing the forwarding VIP, however this would also require changes on firewalls and routers and subsequently could get quite messy.

What I'd like to ask is if the following iRule looks correct (I currently lack a test environment to confirm this)

Or if SNAT would be a better solu

tion to prevent the two VLANS from communicating.

Thanks in advance

Lee


when CLIENT_ACCEPTED {

     if ip src = win_web_LIVE_front and dst = linux_web_LIVE_front
   if {
        ( [class match [IP::client_addr] equals win_web_LIVE_front_subnet])
    and
        ( [class match [IP::local_addr] equals lin_web_LIVE_front_subnet])
      }
            {
                log local0. "DENIED TRAFFIC Windows to Linux: [IP::client_addr]:[TCP::client_port] -> [IP::local_addr]:[TCP::local_port]"
                send TCP RST
                reject
     else if ip src = linux_web_LIVE_front and dst = win_web_LIVE_front            
    } elseif {
        ( [class match [IP::client_addr] equals lin_web_LIVE_front_subnet])
    and
        ( [class match [IP::local_addr] equals win_web_LIVE_front_subnet])
    }
        {
                log local0. "DENIED TRAFFIC Linux to Windows: [IP::client_addr]:[TCP::client_port] -> [IP::local_addr]:[TCP::local_port]"
                send TCP RST
                reject
    Permit    all other traffic
    } else {
                log local0. "PERMITED TRAFFIC: [IP::client_addr]:[TCP::client_port] -> [IP::local_addr]:[TCP::local_port]"
                forward
        }    
}

application delivery
dev
devops
iRules

6 Replies

  • Lee_Sutcliffe's avatar
    Lee_Sutcliffe
    Icon for Nacreous rankNacreous
    Oct 01, 2012

    I could put a VLAN access list on the switches I suppose, I tend to stear away from these as they can get quite messy.

     

    Worth considering though I suppose

     

  • Mohamed_Lrhazi's avatar
    Mohamed_Lrhazi
    Icon for Altocumulus rankAltocumulus
    Oct 01, 2012
    Your iRule looks good. I would use it, instead of packet filters on BIGIP (I never used them or seen anyone use them).

     

     

    I also dont understand what you are saying about SNAT.. I dont see how SNAT is an alternative solution to "prevent x and y from talking to each other"...

     

     

    Thanks,

     

    Mohamed.
  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Oct 01, 2012
    i prefer using irule because i think it is more granular and flexible.
  • Mohamed_Lrhazi's avatar
    Mohamed_Lrhazi
    Icon for Altocumulus rankAltocumulus
    Oct 01, 2012

     

    You could test the iRule by creating a new similar wildcard VS... just make it listen on a port unlikely to be used as destination. say port=9, or port=49899

     

     

    Maybe the iRule could be simplified by using one datagroup called reject_to_from, and rule:

     

     

    If client_addr in reject_to_from AND destination in reject_to_from:

     

    reject