For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

mr_evil_116524's avatar
mr_evil_116524
Icon for Nimbostratus rankNimbostratus
Dec 15, 2013

Question about iRULE (whitelist port and IP)

Hello Guys,

I am trying to write an iRULE for following scenario.

We are trying to restrict traffic between shared services and client vLANS. So from client vLAN they can only reach specific ports like 53,389 etc in specific IP.

e.g. for authentication and DNS query from client vLAN only allowed to go to specific IP if port 53 or 389 matches .... We dont want open all these port across shard vLAN hence client vlan to one specific IP in shard vlAN if port matches...

So I created the following iRULE:

iRULE consists of two data group SHRD_TCP_Port_DG and SHRD_UDP_Port_DG

I have also created a forwarding VIP with source 0.0.0.0/0 and destination xxx.xxx.xxx.xxx/24 (shared service vLAN) Client will be yyy.yyy.yyy.yyy/26

when CLIENT_ACCEPTED {
  if { [IP::addr [IP::local_addr] equals yyy.yyy.yyy.yyy/26] && [IP::addr [IP::client_addr] equals yyy.yyy.yyy.yyy] && [matchclass [TCP::client_port] equals SHRD_TCP_Port_DG ]  && [matchclass [TCP::client_port] equals SHRD_UDP_Port_DG] } {
         Uncomment the line below to turn on logging.
 log local0.  "access allowed SHARD : between [IP::client_addr]:[TCP::client_port] --> [IP::local_addr]:[TCP::local_port] - allowed traffic"
 forward
}  else {    
log local0.  "access not allowed SHARD: between [IP::client_addr]:[TCP::client_port]  and [IP::local_addr]:[TCP::local_port] - rejecting traffic" 
reject
}

}

I think I am bit confused as in whether to use client_port, local_port or remote_port

Above rule doesn't work as I cannot do any DNS query.

Can some please let take a look at above iRULE and let me know what I am doing?

Thanks

1 Reply

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Dec 16, 2013

    At the very least you're going to want to use the TCP::local_port command to see port 53 and port 389 traffic. But if I may add, your conditional logic reads like this:

     

    • if the destination address (IP::local_addr) is in a specific subnet (yyy.yyy.yyy.yyy/26)
    • and the client address (IP::client_addr) exactly matches a specific address (yyy.yyy.yyy.yyy)
    • and the requested port is in the TCP data group
    • and the requested port is in the UDP data group

    Not sure if this is your intention, but the biggest issues for the above might be:

     

    1. Exactly matching a specific client IP address
    2. Requiring the requested port to be in both data groups