Forum Discussion
Muhammad_Irfan1
Cirrus
CirrusPacket filter can't filter proxypass is there any other way to filter traffic?
I have VS 10.50.171.8:443 and 35 pools are attached to it through proxypass iRule.
iRule is like this for one pool
when HTTP_REQUEST {
switch -glob [HTTP::uri] {
"/300MEFPOSTPAIDLive*" {
pool Tibco-LB-Group3
HTTP::uri [string range [HTTP::uri] [string first "/" [HTTP::uri] 1] end]
}
}
}
Is it possible that F5 allow 10.50.241.155 to this pool but deny all other ip,s to this pool.
I can't us packet filter because if i allow access to VIP then he can access all pools. Is there any way to block him on the bases of which proxypass is he using?
Please help
Try inserting an if statement checking for the client's address:
when HTTP_REQUEST { switch -glob [HTTP::uri] { "/300MEFPOSTPAIDLive*" { if { [IP::addr [IP::client_addr] equals 10.50.241.155] } { pool Tibco-LB-Group3 HTTP::uri [string range [HTTP::uri] [string first "/" [HTTP::uri] 1] end] } else { drop } } }Look at https://devcentral.f5.com/wiki/iRules.IP__addr.ashx for more information/examples
shaggy_121467Cumulonimbus
Try inserting an if statement checking for the client's address:
when HTTP_REQUEST { switch -glob [HTTP::uri] { "/300MEFPOSTPAIDLive*" { if { [IP::addr [IP::client_addr] equals 10.50.241.155] } { pool Tibco-LB-Group3 HTTP::uri [string range [HTTP::uri] [string first "/" [HTTP::uri] 1] end] } else { drop } } }Look at https://devcentral.f5.com/wiki/iRules.IP__addr.ashx for more information/examples
- Muhammad_Irfan1Thanks shaggy you solved by problem. How would it look like if i want to allow 2, 3 IP,s Do i have to put else if statement then?
- shaggy_121467Just use "or": if { [IP::addr [IP::client_addr] equals 10.50.241.155] or [IP::addr [IP::client_addr] equals 10.50.241.156] or [IP::addr [IP::client_addr] equals 10.50.241.156] } If you have much more than that, you might consider using data groups to store allowed addresses (https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-system-irules-concepts-11-6-0/6.html) and the "class" iRule command (https://clouddocs.f5.com/api/irules/class.html)
- Muhammad_Irfan1NO i have max 3 ips,. Thanks alot.
shaggyNimbostratus
Try inserting an if statement checking for the client's address:
when HTTP_REQUEST { switch -glob [HTTP::uri] { "/300MEFPOSTPAIDLive*" { if { [IP::addr [IP::client_addr] equals 10.50.241.155] } { pool Tibco-LB-Group3 HTTP::uri [string range [HTTP::uri] [string first "/" [HTTP::uri] 1] end] } else { drop } } }Look at https://devcentral.f5.com/wiki/iRules.IP__addr.ashx for more information/examples
- Muhammad_Irfan1Thanks shaggy you solved by problem. How would it look like if i want to allow 2, 3 IP,s Do i have to put else if statement then?
- shaggyJust use "or": if { [IP::addr [IP::client_addr] equals 10.50.241.155] or [IP::addr [IP::client_addr] equals 10.50.241.156] or [IP::addr [IP::client_addr] equals 10.50.241.156] } If you have much more than that, you might consider using data groups to store allowed addresses (https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-system-irules-concepts-11-6-0/6.html) and the "class" iRule command (https://devcentral.f5.com/wiki/iRules.class.ashx)
- Muhammad_Irfan1NO i have max 3 ips,. Thanks alot.