Forum Discussion
Ryan_34424
Altostratus
AltostratusLTM :: iRule to Limit Source Addresses
So... here's a weird one. And I understand it's not optimal...
...but say there is a crisis and management sends down the proclamation: "Only allow X sources at a time access to the server pool un...
Kai_Wilke
MVP
MVPHi Ryan,
the problem with your iRule is, that it would DoS your entire application once
[table keys -subtable conns -count][IP::client_addr]You may take a look to the iRule below how I would solve the puzzle. My iRule would allow the already known
[IP::client_addr][table -subtable][IP::client_addr]when RULE_INIT {
set static::ip_limit 2000
set static::ip_timeout 900
}
when CLIENT_ACCEPTED {
set hsl [HSL::open -proto UDP -pool syslog-servers.pool]
}
when HTTP_REQUEST {
Delete all IPs
table delete -subtable conns -all
if { [table lookup -subtable conns [IP::client_addr]] ne "" } then {
The client is currently known in the table.
Already refreshed the clients table entry.
Allow the request...
} elseif { [table keys -subtable conns -count] < $static::ip_limit } then {
The client is not known in the table.
The connection limit has not been reached.
Create a new entry for the client.
table set -subtable conns [IP::client_addr] 1 $static::ip_timeout indef
Allow the request...
} else {
The client is not known in the table.
The connection limit has been reached.
Log the request...
HSL::send $hsl ":: Source IP limit ($ip_limit) hit for pool, redirecting to maintenance page."
Display maintenance page...
call maintenance_page.irule::display_page
}
}
Note: I've removed the pool logic, since it shouldn't considered as security control. The premptive
of your meintenance macro should be more than sufficent...[HTTP::respond]
Cheers, Kai
