For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Jimmy_87630's avatar
Jimmy_87630
Icon for Nimbostratus rankNimbostratus
Jul 13, 2009

Possible Design Issue?

Hello,     I appreciate any ridicule and/or assistance.     I have an LTM 6800 operating in a carrier class ISP environment. I have 6 UNIX based SMTP servers sitting behind the ...
config
design
Jimmy_87630's avatar
Jimmy_87630
Icon for Nimbostratus rankNimbostratus
Jul 14, 2009
I'm posting relevant bits of the LTM configuration. 

     
 virtual SMTP {     
 pool smtp     
 destination 24.24.24.254:smtp     
 ip protocol tcp     
 rules SMTP_RATE_LIMIT     
 }     
 virtual VS_OUT_226 {     
 ip forward     
 destination any:any     
 mask none     
 vlans Relay_Services     
 external-relay enable     
 rules RELAY_SERVICES_OUT     
 }

Here's the IRULE I use to setup the SNATs to set SMTP server public IPs. I was going to use the Hosts / Svcs data classes to bypass the SNAT for DNS traffic. Currently those datagroups are empty. 

     
 rule RELAY_SERVICES_OUT {     
 when CLIENT_ACCEPTED {     
      
 if { [matchclass [IP::client_addr] equals $::Hosts]} {     
      
 if { [matchclass [UDP::local_port] equals $::Svcs]} {    
 node 24.24.24.1   
 } else {     
 switch [ IP::client_addr ] {     
 172.28.6.11 { snat 24.24.24.11 }     
 172.28.6.12 { snat 24.24.24.12 }     
 default { node 24.24.24.1 }     
 }     
 }     
 }     
 node 24.24.24.1     
 }     
 }
Related Content