Forum Discussion
Jorge_48257
Apr 22, 2011Nimbostratus
iRule to drop port request
I've also tried the following with no success.
- nitassEmployeei didn't get any error in irule editor. is there anything i missed??
- Jorge_48257NimbostratusThe second irule doesn't give an error it just doesn't drop the request. You can still connect on those ports. The first irule is the only that gives me that error I posted.
- nitassEmployee>The second irule doesn't give an error it just doesn't drop the request. You can still connect on those ports.
when CLIENT_ACCEPTED { if {[TCP::local_port] != 110} { drop } }
- Jorge_48257NimbostratusIt doesn't give me an error either but the requests on that port are never blocked. So while the rule doesn't error out, I'm still not getting the outcome I'm expecting which is for the port request to not be accepted.
- nitassEmployeecan u post the virtual server config?
- Jorge_48257NimbostratusHere you go.
virtual EXCH-CAS_RPC_vs {
pool EXCH-RPC_pool
destination 10.10.10.10:any
ip protocol tcp
persist exch_rpc_persist
profiles {
tcp-lan-optimized {
serverside
}
tcp-wan-optimized {
clientside
}
}
}
This is used for Exchange RPC but do not want it to listen on unsecured POP and IMAP. That's why we want to block TCP/110 and TCP/143.
- nitassEmployeei see. problem is that F5 does full proxy. if i don't misremember, there is an option in tcp profile. will check when i get my computer.
- nitassEmployeeit's verified accept in tcp profile. anyway, it's available only in v10.
virtual bar { snat automap pool foo destination 172.28.17.33:any ip protocol tcp rules myrule profiles mytcp {} } pool foo { members 10.10.70.110:any {} } rule myrule { when CLIENT_ACCEPTED { if {[TCP::local_port] == 22} { reject } } } profile tcp mytcp { defaults from tcp verified accept enable } ssh 172.28.17.33 ssh: connect to host 172.28.17.33 port 22: Connection refused
Recent Discussions
Related Content
DevCentral Quicklinks
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com
Discover DevCentral Connects