Forum Discussion
AlexJ
Nimbostratus
NimbostratusPort ACL
Hello all,
I am having an issue with Port ACL Irules:
Issue: We have 6 internet links and hundreds of virtual servers running on multiple ports.
As we are not allowed to open up all port VS's we have to create a virtual server for every port a server will listen on and for every link. So for instance if a server listens on 3 ports (80/443/21) we have to create 18 VS's!!!!
I have created an irule for a port ACL to block connections on all ports except ones specified however as the rule is utilised when CLIENT_ACCEPTED, all ports are seen as open by tools such as NMAP etc...
Question:
Is there a way of creating a VS on all ports but in IRULES stop it responding on ports unless otherwise specified. This is my first posting and my first IRule so go easy!!!!
when RULE_INIT {
drop unknown source IP addresses? 0 = no, 1 = yes
set ::drop_unknown_sources 0
}
when CLIENT_ACCEPTED {
switch -glob [TCP::local_port] {
"21" {return}
"22" {return}
"80" {return}
"443" {return}
"8080" {return}
"1935" {return}
default {
Uncomment the line below to turn on logging.
log local0. "Invalid destination port for pool. Port: [TCP::local_port] - Virtual Server Name:[virtual] - Virtual Server IP: [IP::local_addr]. Discarding. Request accepted from client [IP::client_addr]"
reject}
}
}
1 Reply
hoolioCirrostratus
The short answer is not with a VIP configuration change or iRule. If you define a virtual server LTM will answer a TCP handshake on the defined port. If the port is 0, then LTM will answer a TCP handshake on all ports.
If you need to prevent a TCP handshake on specific ports or allow one only on specific ports, you should be able to use packet filters or an upstream firewall. It's always a good practice to have a firewall between LTM and any untrusted network.
Aaron
