Forum Discussion
Tom_Bortels_112
Nimbostratus
Nimbostratusreject not rejecting?
I have to be missing something simple here... setting up a new irule to do a simple whitelist. Here's the whole thing (stolen shamelessly from somewhere else on DevCentral):
when HTTP_REQUEST {
...
nitass
Employee
Employeeit seems it does not work in 10.2.4 too.
config
root@ve10(Active)(tmos) show sys version |grep -A 6 Main\ Package
Main Package
Product BIG-IP
Version 10.2.4
Build 817.0
Edition Hotfix HF7
Date Mon May 20 15:08:56 PDT 2013
root@ve10(Active)(tmos) list ltm virtual bar
ltm virtual bar {
destination 172.28.20.17:http
ip-protocol tcp
mask 255.255.255.255
pool foo
profiles {
fasthttp { }
}
rules {
myrule
}
snat automap
}
root@ve10(Active)(tmos) list ltm rule myrule
ltm rule myrule {
when CLIENT_ACCEPTED {
reject
log local0. "reject"
}
}
trace
[root@ve10:Active] config tcpdump -nni 0.0 -s0 port 80
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on 0.0, link-type EN10MB (Ethernet), capture size 65535 bytes
10:52:38.784277 IP 172.28.20.20.51828 > 172.28.20.17.80: S 4111390735:4111390735(0) win 5840 in slot1/tmm0 lis=
10:52:38.784329 IP 172.28.20.17.80 > 172.28.20.20.51828: S 413864687:413864687(0) ack 4111390736 win 4380 out slot1/tmm0 lis=bar
10:52:38.785331 IP 172.28.20.20.51828 > 172.28.20.17.80: . ack 1 win 5840 in slot1/tmm0 lis=bar
10:52:38.785337 IP 172.28.20.20.51828 > 172.28.20.17.80: P 1:156(155) ack 1 win 5840 in slot1/tmm0 lis=bar
10:52:38.785441 IP 200.200.200.16.65423 > 200.200.200.101.80: S 3491750769:3491750769(0) win 4380 out slot1/tmm0 lis=
10:52:38.786573 IP 200.200.200.101.80 > 200.200.200.16.65423: S 920090142:920090142(0) ack 3491750770 win 5840 in slot1/tmm0 lis=
10:52:38.786583 IP 200.200.200.16.65423 > 200.200.200.101.80: . ack 1 win 4380 out slot1/tmm0 lis=
10:52:38.786588 IP 200.200.200.16.65423 > 200.200.200.101.80: P 1:156(155) ack 1 win 5840 out slot1/tmm0 lis=
10:52:38.787350 IP 200.200.200.101.80 > 200.200.200.16.65423: . ack 156 win 6432 in slot1/tmm0 lis=
10:52:38.788472 IP 200.200.200.101.80 > 200.200.200.16.65423: P 1:244(243) ack 156 win 6432 in slot1/tmm0 lis=
10:52:38.788483 IP 172.28.20.17.80 > 172.28.20.20.51828: P 1:244(243) ack 156 win 6432 out slot1/tmm0 lis=bar
10:52:38.789596 IP 172.28.20.20.51828 > 172.28.20.17.80: . ack 244 win 6432 in slot1/tmm0 lis=bar
10:52:38.789607 IP 172.28.20.20.51828 > 172.28.20.17.80: F 156:156(0) ack 244 win 6432 in slot1/tmm0 lis=bar
10:52:38.789613 IP 172.28.20.17.80 > 172.28.20.20.51828: F 244:244(0) ack 157 win 4380 out slot1/tmm0 lis=bar
10:52:38.791293 IP 172.28.20.20.51828 > 172.28.20.17.80: . ack 245 win 6432 in slot1/tmm0 lis=bar
10:52:38.889555 IP 200.200.200.16.65423 > 200.200.200.101.80: . ack 244 win 4380 out slot1/tmm0 lis=
/var/log/ltm
[root@ve10:Active] config tail /var/log/ltm
Dec 31 10:52:38 local/tmm info tmm[4922]: Rule myrule : reject
