Forum Discussion

Yuttana_H_20056's avatar
Yuttana_H_20056
Icon for Nimbostratus rankNimbostratus
May 12, 2015

Recommendation for irule to filter specific Ports

Hi, I'm trying to apply irule for Passive port (F5 -LTM 11.0) In KB I found some irule like this

when CLIENT_ACCEPTED {

if {{([TCP::local_port] >= Start-port) && ([TCP::local_port] <= end-port)}

} then {

pool app_pool

} else { 

reject

}

}

but I think if I set this for any webserver (we have many pool), I have to make irule for all pool and it look not make sense (but if you think it's make senses, please inform)

because I just only if user connect to IP and the connected port is in condition, just accept it to the pool that configured in Virtual Server.

Anyone have any suggestion, please help...

  • Hi,

     

    Are you intend to filter ports and apply the pool or just protect ports that will not use?

     

    If you just want to filter that doors, make it with packet filtering. But if you prefer an iRule, I would use the event FLOW_INIT instead of CLIENT_ACCEPTED.

     

    If it is this case, just keep the default pool configured in the VS.

     

    Did I understand you correctly? []

     

  • I think you almost had what you were looking for, but a switch statement might be easier. Here I send connections going to port 443 to the secure_web_pool, ones that connect to port 80 and 8080 to web_pool and reject any other tcp ports

     when CLIENT_ACCEPTED {
        switch [TCP::local_port clientside] {
        "443" {
            pool secure_web_pool
        }
        "80" -
        "8080" {
            pool web_pool
        }
        default {
        reject
         don't do anything...
        }
    }
    
  • Hi, I apologized that my information might mislead...

     

    Actually I don't have problem with Web Server because I use only Port 80 and 443 that I can use basic configuration from F5 GUI (Create Node, Pool and virtual server)

     

    but in order to provide user to upload the content I create pool with single Server as a repository Server and setup FTP Server in this node. I can use FTP Profile to support FTP Passive mode basic but I found that I got new issue that the some FTP Client try to use FTPS by default and F5 cannot translate FTPS configured Data Port (for example TCP/5000-TCP/5100)

     

    after searching in F5 Support. I found this KB https://support.f5.com/kb/en-us/solutions/public/6000/000/sol6018.html

     

    My requirement just only want client connect to my FTP Server via FTPS and also support Passive Port. so I setup pool for only port 21 it will work properly. But if I have to add 100 ports for Passive mode. it don't not make senses. and I think iRule can halp me on this issue. so right now I setup iRule for FTP Server. the rule is very easy, if client connect to server via TCP/21 and TCP/5000-TCP/5100. F5 just accept it and pass it to the FTP Server like normal connection, that's all

     

    but I have many FTP Server, so I don't this that Fix pool name in iRule is make senses. what I want is if I assign this irules to virtual Server VIP-Server1 that map to pool Server1, so when user that connect to VIP-Server1 should upload content to server in pool Server1. If I assign this irules to virtual Server VIP-Server2 that map to pool Server2, so when user that connect to VIP-Server2 it should upload content to server in pool Server2.

     

    this is all requirement