Forum Discussion
Nimbostratusirule with data group list
I am trying to write a irule that will allow only certain subnets internally to be allowed to send email to this outgoing email server.
Thought this below might do the trick, but no. Take remote IP, verify by subnet in me smtp_relay_allowed data group list. If match, send through and SNAT toi a single IP I have setup.
when CLIENT_ACCEPTED { if { [class match [IP::remote_addr] equals smtp_relay_allowed] } {
}
}
What am I doing wrong, everyting is being allowed.
4 Replies
eey0reCirrostratus
Is there a 'drop' or 'discard' in there that was eaten by the forum formatting?
David_DesautelsI tried to tell it allow, but it would not take it. I want it to match my data group and then allow it through, but could not find the right syntax.
- Kevin_Stewart
Employee
Something like this:
when CLIENT_ACCEPTED { if { not ( [class match [IP::client_addr] equals my_ip_datagroup] ) } { reject } } - eey0re
Essentially not doing anything allows the connection through. drop or discard will drop the connection from the BIG-IP (but this is a bit brutal), reject will close it. To use this you want to invert your logic, like so:
if { not [class match [IP::remote_addr] equals smtp_relay_allowed] } { reject }Ideally what you want to do is actually respond with some valid SMTP indicating a denied connection.
Another non-iRule approach is to look at the Packet Filters feature.
