For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Geethanjali_321's avatar
Geethanjali_321
Icon for Nimbostratus rankNimbostratus
Oct 25, 2012

Packet filter does not work

HI All,

I have implemented a packet filter to block access to a VS from all IP addresses except one. I tried the same through an iRule. But it did not seem to work. Here is the iRule:

when CLIENT_ACCEPTED {
 if { [IP::addr [IP::client_addr] equals x.x.x.x] } {
 drop
 return
}
}

When I tried doing the same with packet filter, by creating a rule which says,

"action:accept" for "source ip:x.x.x.x" and "destination ip: (the ip for that virtual service)".

This should allow only this x.x.x.x ip to access the virtual service. But, all the IPs are having access to the virtual service and looks like the rule is not implemented correctly. Can someone help me with this?

Thanks and Regards,

Geethanjali

config
design

15 Replies

Show More
  • Geethanjali_321's avatar
    Geethanjali_321
    Icon for Nimbostratus rankNimbostratus
    Oct 26, 2012

    Hi,

     

     

    I am not able to access this through the GUI. I don't find an option under system

     

  • nathe's avatar
    nathe
    Icon for Cirrocumulus rankCirrocumulus
    Oct 26, 2012
    What user role are you? 

    Specifies log access by user role. You can allow or deny access for each user role except Administrator and Resource Administrator, which are always set to Allow. When the field is set to Deny, the Logs tab is not present for users of that role type, and trying to access the log directly results in a no-access message.
  • Geethanjali_321's avatar
    Geethanjali_321
    Icon for Nimbostratus rankNimbostratus
    Oct 26, 2012

    Hi,

     

    I am sorry. I got it now. Can you please explain what this code does? I understood the basic function, that it rejects all other IPs apart from the ones in the data group ip_class. But I dindn't get the log.local0 part and the server connected's syntax...Can you please expalin it to me?

     

     

    when CLIENT_ACCEPTED {
   if { ! [class match -- [IP::client_addr] equals ip_class] } {
      log local0. "Reject [IP::client_addr]:[TCP::client_port] -> [IP::local_addr]:[TCP::local_port]"
      reject
   }
}
when SERVER_CONNECTED {
   log local0. "Allow [IP::client_addr]:[TCP::client_port] -> [clientside {IP::local_addr}]:[clientside {TCP::local_port}] -> [IP::remote_addr]:[TCP::remote_port]"
}
}

     

    Thanks and Regards,

     

    Geethanjali

     

  • nathe's avatar
    nathe
    Icon for Cirrocumulus rankCirrocumulus
    Oct 26, 2012
    See https://devcentral.f5.com/wiki/irules.server_connected.ashx

     

     

    The log local0. command is simply grabbing all the information it gets from the request in the [] brackets e.g. the client ip address/port, and writing a log to detail the connection in a readable format.