For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Geethanjali_321's avatar
Geethanjali_321
Icon for Nimbostratus rankNimbostratus
Oct 25, 2012

Packet filter does not work

HI All, I have implemented a packet filter to block access to a VS from all IP addresses except one. I tried the same through an iRule. But it did not seem to work. Here is the iRule: w...
config
design
Geethanjali_321's avatar
Geethanjali_321
Icon for Nimbostratus rankNimbostratus
Oct 25, 2012

Thanks again. You guys are awesome! But I am still stuck with errors...

 

config b virtual bar list

 

virtual bar {

 

snat automap

 

pool foo

 

destination 63.166.192.203:80

 

ip protocol 6

 

rules myrule

 

}

 

config b rule myrule list

 

rule myrule {

 

when CLIENT_ACCEPTED {

 

if { ! [class match -- [IP::client_addr] equals ip_class] } {

 

log local0. "Reject [IP::client_addr]:[TCP::client_port] -> [IP::local_addr]:[TCP::local_port]"

 

reject

 

}

 

}

 

when SERVER_CONNECTED {

 

log local0. "Allow [IP::client_addr]:[TCP::client_port] -> [clientside {IP::local_addr}]:[clientside {TCP::local_port}] -> [IP::remote_addr]:[TCP::remote_port]"

 

}

 

}

 

config b class ip_class list

 

class ip_class {

 

{

 

host 209.190.232.172

 

host 63.166.192.140

 

host 4.30.227.210

 

host 68.14.227.130

 

}

 

}

 

 

 

When I type this is the iRule editor in the configuration utility, I am getting this error!!!

 

01070151:3: Rule [/Common/New_Rule] error:

 

line 1: [undefined procedure: config] [config b virtual bar list]

 

line 2: [command is not valid in the current scope] [virtual bar {

 

snat automap

 

pool foo

 

destination 63.166.192.203:80

 

ip protocol 6

 

rules myrule

 

}]

 

line 10: [undefined procedure: rule] [rule myrule {

 

when CLIENT_ACCEPTED {

 

if { ! [class match -- [IP::client_addr] equals ip_class] } {

 

log local0. "Reject [IP::client_addr]:[TCP::client_port] -> [IP::local_addr]:[TCP::local_port]"

 

reject

 

}

 

}

 

when SERVER_CONNECTED {

 

log local0. "Allow [IP::client_addr]:[TCP::client_port] -> [clientside {IP::local_addr}]:[clientside {TCP::local_port}] -> [IP::remote_addr]:[TCP::remote_port]"

 

}

 

}]

 

line 22: [command is not valid in the current scope] [class ip_class {

 

{

 

host 209.190.232.172

 

host 63.166.192.140

 

host 4.30.227.210

 

host 68.14.227.130

 

}

 

}]

 

 

 

I am really sorry if I ask lame questions. I am new to these codes. So, please help me out to learn and implement this...

 

 

Thanks and Regards,

 

Geethanjali