Forum Discussion
NimbostratusiRule to allow by source mac address ?
We have probably 1000 printers in our company that send smtp email to our BigIP loadbalancer. We want to restrict access for (other) applications to the smtp virtual server, so want to use a whitelist op IP addresses. How do we allow smtp access for printers, and block access to the rest of the organization, without maintaining a list of 1000 IP addresses? Printers can be recognized by there MAC address, but how do I create an iRule for that exception.
Are there smarter options?
7 Replies
Sammo_Li_81151Is the printers and the BigIP sit on the same network segment?
- Sammo_Li_81151
https://devcentral.f5.com/wiki/iRules.LINK.ashx
Anyway please see the above link. You may use LINK::lasthop to do that.
A__Gotink_33511Most on different subnet, so LINK::lasthop will not work
- Sammo_Li_81151
All the printer are the same brand or they are different? I think what you can do is the capture the "helo" command and see which the printer's helo name. And do a TCP::collect then examine the TCP::payload to only allow those with printer's helo name to connect to the smtp servers.
- IheartF5_45022
Nacreous
Use SMTPS with client certs if the printers support it. F5 can decrypt and check client certs then send onto servers as SMTP.
- A__Gotink_33511
Thanks voor the TCP::payload tip. All our printers start with the same 2 characters in de name.
Still investigating how to examin the data received...
- A__Gotink_33511
This iRule works for me
when SERVER_CONNECTED { clientside { TCP::collect } } when CLIENT_DATA { set hostOK RK set payload [string toupper [TCP::payload]] log local0. "payload=$payload" if { $payload starts_with "EHLO" } { log local0. "EHLO found" if { $payload contains "EHLO $hostOK" } { log local0. "SMTP OK, is from $hostOK*" TCP::release } else { log local0. "SMTP ERROR, $payload is NOT from $hostOK" TCP::respond "550 Hostname denied\r\n" } } else { log local0. "EHLO not found" TCP::release TCP::collect } }
