Forum Discussion

Jorge_48257's avatar
Jorge_48257
Icon for Nimbostratus rankNimbostratus
Apr 22, 2011

iRule to drop port request

How can I drop request to a VIP on tcp port 110 and 143 on a LTM running version 10.2.0? I've tried the following but it does not seem to work. if { [TCP::local_port] != 110} { drop } I get line 1: [command is not valid in the current scope] [if { [TCP::local_port] != 110} { when using iRule Editor.

 

 

I've also tried the following with no success.

 

when CLIENT_ACCEPTED {

 

if {([TCP::local_port] == 110 or [TCP::local_port] == 143)}{

 

drop

 

}

 

}

 

application delivery
dev
devops
iRules
  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Apr 22, 2011
    i didn't get any error in irule editor. is there anything i missed??
  • Jorge_48257's avatar
    Jorge_48257
    Icon for Nimbostratus rankNimbostratus
    Apr 22, 2011
    The second irule doesn't give an error it just doesn't drop the request. You can still connect on those ports. The first irule is the only that gives me that error I posted.
  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Apr 22, 2011
    >The second irule doesn't give an error it just doesn't drop the request. You can still connect on those ports.

    what service port is virtual server listening? is it any port?

    > The first irule is the only that gives me that error I posted.

    this irule doesn't give me an error in irule editor and when running b load. 

    
when CLIENT_ACCEPTED {
   if {[TCP::local_port] != 110} {
      drop
   } 
}

  • Jorge_48257's avatar
    Jorge_48257
    Icon for Nimbostratus rankNimbostratus
    Apr 22, 2011
    It doesn't give me an error either but the requests on that port are never blocked. So while the rule doesn't error out, I'm still not getting the outcome I'm expecting which is for the port request to not be accepted.
  • Jorge_48257's avatar
    Jorge_48257
    Icon for Nimbostratus rankNimbostratus
    Apr 22, 2011
    Here you go.

     

     

    virtual EXCH-CAS_RPC_vs {

     

    pool EXCH-RPC_pool

     

    destination 10.10.10.10:any

     

    ip protocol tcp

     

    persist exch_rpc_persist

     

    profiles {

     

    tcp-lan-optimized {

     

    serverside

     

    }

     

    tcp-wan-optimized {

     

    clientside

     

    }

     

    }

     

    }

     

     

     

     

    This is used for Exchange RPC but do not want it to listen on unsecured POP and IMAP. That's why we want to block TCP/110 and TCP/143.

     

  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Apr 22, 2011
    i see. problem is that F5 does full proxy. if i don't misremember, there is an option in tcp profile. will check when i get my computer.
  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Apr 22, 2011
    it's verified accept in tcp profile. anyway, it's available only in v10.

    sol7559: Overview of the TCP profile

    http://support.f5.com/kb/en-us/solutions/public/7000/500/sol7559.html

    i used reject instead of drop since i'd like to see error when connecting to port 22. 

    
virtual bar {
   snat automap
   pool foo
   destination 172.28.17.33:any
   ip protocol tcp
   rules myrule
   profiles mytcp {}
}
pool foo {
   members 10.10.70.110:any {}
}
rule myrule {
   when CLIENT_ACCEPTED {
      if {[TCP::local_port] == 22} {
         reject
      }
   }
}
profile tcp mytcp {
   defaults from tcp
   verified accept enable
}

 ssh 172.28.17.33
ssh: connect to host 172.28.17.33 port 22: Connection refused