irule for VIP to deny all ports except a few

Question

Hi, i have configured a VIP to listen on any port, BUT i want to restrict it only specific ports and denying rest all.&nbsp;
What`s the simplest way to do this?&nbsp;

what_lies_bene1 · Answer

There's two ways you can achieve this that I can think of; 
&nbsp;  
&nbsp; 1) Use a packet filter (everyone seems to prefer iRules) 
&nbsp; 2) Use the IP: CLIENT_ACCEPTED event and something like this (but with more ports using switch or a data group); 
&nbsp;  
&nbsp; when CLIENT_ACCEPTED { 
&nbsp;  if { ! [TCP::local_port] == 80} { 
&nbsp;  drop 
&nbsp;  return 
&nbsp; } 
&nbsp; } &nbsp;

sandy16 · Answer

Thnx Steve,... what will be something equivalent of deny all, except 80, 8080?

what_lies_bene1 · Answer

This should do it;

when CLIENT_ACCEPTED {
if { (! [TCP::local_port] == 80 || ! [TCP::local_port] == 8080 ) } {
drop
return
}
}

nitass · Answer

e.g. 
  
  if-clause

[root@ve10:Active] config  b rule myrule list
rule myrule {
   when CLIENT_ACCEPTED {
   if { !([TCP::local_port] == 80) and !([TCP::local_port] == 8080) } {
      drop
   }
}
}

switch

[root@ve10:Active] config  b rule myrule list
rule myrule {
   when CLIENT_ACCEPTED {
   switch [TCP::local_port] {
      80 -
      8080 { }
      default {
         drop
      }
   }
}
}

Forum Discussion

irule for VIP to deny all ports except a few

4 Replies

Welcome! a la Communidad DevCentral LATAM de F5!

The New F5 Certified BIG-IP Administrator Certification Exams Now Live

Recent Discussions

Efficient Method to Compare F5 Configurations

F5 Big-IQ read-only API username creation.

email alert when service restarts

all possible Domain names that F5 may need to communicate to

irule that presents certificate doesn´ t run in TLSv1.3

Related Content

irule ports

Assistance with iRule using port ranges

iRules Style Guide

Three Ways to Specify Multiple Ports on a Virtual Server

Hey Claude, can you write iRules?

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS