For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Joe_Rindfleisch's avatar
Joe_Rindfleisch
Icon for Nimbostratus rankNimbostratus
Aug 30, 2011

Need iRule for specfic sources to specfic ports going to the Same VS for Proxy LB

Access Control Based on specfic sources to specfic ports going to the Same VS for Proxy LB     I found "Access Control Based On Network Or Host" http://...
application delivery
dev
devops
iRules
hoolio's avatar
hoolio
Icon for Cirrostratus rankCirrostratus
Sep 01, 2011
Not really. Your SE gave you a novel solution. But the shortcoming is that it don't support the native network parsing of an address type datagroup.

Another approach would be to create a separate set of datagroups per protocol. This will support source networks, but not destination networks. If you want destination network support, I think you'd need to change datagroups with one source network datagroup which points to other destination datagroups. 

class fw_icmp_rules_class {
   {
      network 10.10.14.0/24 {"8.8.8.8:8,4.2.2.2:8,4.2.2.1:8"}
      network 10.11.14.0/24 {"4.2.2.4:8,4.2.2.3:8,4.2.2.2:8,4.2.2.1:8"}
      network 10.12.14.0/24 {"203.8.183.1:8"}
   }
}
class fw_tcp_rules_class {
   {
      network 10.10.14.0/24 { "63.166.98.107:80,1.2.3.4:80,1.2.3.4:443" }
      network 10.11.14.0/24 { "63.166.98.107:80,1.2.3.4:80,1.2.3.4:443" }
   }
}
class fw_udp_rules_class {
   {
      network 10.10.14.0/24 { "4.2.2.1:53,4.2.2.2:53,4.2.2.3:53" }
      network 10.11.14.0/24 { "8.8.8.8:53,4.2.2.1:53,4.2.2.2:53,4.2.2.3:53" }
   }
}

You can then use the class command to do the network lookup with the -value flag to get the list of destinations that are allowed. You could then call matchclass (yes the old command) to match the against that list.

Here's an example: 

when RULE_INIT {
    Log debug to /var/log/ltm? 1=yes, 0=no
   set static::fw_debug 1
}
when CLIENT_ACCEPTED {
   if {$static::fw_debug}{log local0. "[IP::client_addr]:[TCP::client_port]: destination:\
      [IP::local_addr]:[TCP::local_port]"}
    Check the requested protocol (defined in /etc/protocols)
   switch [IP::protocol] {
      1 {
          ICMP
         set proto icmp
      }
      6 {
          TCP
         set proto tcp
      }
      17 {
          UDP
         set proto udp
      }
      default {
          Unmatched protocol
         if {$static::fw_debug}{log local0. "[IP::client_addr]:[TCP::client_port]: Disallowed protocol"}
          Drop?
         drop
          Reject?
         reject
          Exit this event in this rule
         return
      }
   }
   if {$static::fw_debug}{log local0. "[IP::client_addr]:[TCP::client_port]: Protocol: $proto"}
    If we are still in the rule the protocol matched our allowed list
    Check if the corresponding datagroup exists
   if {not [class exists fw_${proto}_rules_class]}{
       Datagroup does not exist!
      log local0. "[IP::client_addr]:[TCP::client_port]: Datagroup fw_${proto}_rules_class does not exist\
         for lookup to [IP::local_addr]:[TCP::local_port]!"
       Drop?
      drop
       Reject?
      reject
   }
    Do the datagroup lookup against the protocol specific datagroup 
    which maps source networks/hosts to allowed destination host:ports
   set allowed_dest_list [split [class match -value [IP::client_addr] equals fw_${proto}_rules_class] ","]
   if {$allowed_dest_list ne ""}{
      if {[matchclass "[IP::local_addr]:[TCP::local_port]" equals $allowed_dest_list]}{
          Destination host:port is allowed
         if {$static::fw_debug}{log local0. "[IP::client_addr]:[TCP::client_port]: Allowing connection"}
      } else {
          Destination host:port is not allowed
         if {$static::fw_debug}{log local0. "[IP::client_addr]:[TCP::client_port]: Blocking connection"}
          Drop?
         drop
          Reject?
         reject
      }
   }
}

Aaron