Forum Discussion
NimbostratusPermit only North American network blocks
Is it possible to only permit North American netowrk bloks to an F5 hosted site (or VIP)? I would get the list for Canada, US and Mexico from here: http://www.ipdeny.com/ipblocks/. Then massage it into a list for the F5. Finally, create an iRule to use it. Have searched other posts but they were a bit different. Apology in advance if I didn't search well enough. ;-)
Thanks,
Philippe
3 Replies
hoolioCirrostratus
Hi Philippe,
This should be very simple using the whereis command to query the client IP address in the inbuilt GeoIP database:https://devcentral.f5.com/wiki/iRules.whereis.ashx when CLIENT_ACCEPTED { if {not ([whereis [IP::client_addr] continent] eq "NA")}{ reject } }
Aaron
Philippe_TempelThanks hoolio. i updated the GeoIP database per the instructions here:
http://support.f5.com/kb/en-us/solu...11176.html
and saved your iRule above. One question that came up was if the F5 can suppout privlidge escalation. We may have a case where someone from work may travel abroad and want access even if this is in place. Would this be possible? Also am curious as to how GeoIP works with multinational companies. If the company uses part of its IP block in different countries, then will GeoIP be able to tell where they are from?
Thanks,
Philippe
rkbasa_189832Hi
will this allow internal private nets?
