Request for interpretation of iRule entries in ltm log and further troubleshooting steps
I have set up a wildcard forwarding virtual server in order to let outbound traffic from backend servers through the F5 to the internet. In order to restrict the permitted traffic (DNS, HTTP, HTTPS, NTP and ICMP) I have created the following iRule and associated it with the VS:
when CLIENT_ACCEPTED {
if { not (
([TCP::local_port] == 53
or [TCP::local_port] == 80
or [TCP::local_port] == 443
or [UDP::local_port] == 53
or [UDP::local_port] == 123
or [IP::protocol] == 1)
} then {
reject
switch [IP::protocol] {
6 {
log local0. "Request rejected from backend server: [IP::client_addr]:[TCP::client_port] -> [IP::local_addr]:[TCP::local_port]"
}
17 {
log local0. "Request rejected from backend server: [IP::client_addr]:[UDP::client_port] -> [IP::local_addr]:[TCP::local_port]"
}
default {
log local0. "Request rejected from backend server: [IP::client_addr], IP Protocol [IP::protocol] -> [IP::local_addr]:[TCP::local_port]"
}
}
}
}
I would expect this iRule to log only connections where the backend server initiates the connection. However, in some cases it also logs connections that I expect to have been initiated from the internet towards the backend servers. I am logging those as well now, and in the ltm log I can see the following behaviour:
Feb 19 11:00:49 f5-ltm info tmm1[21115]: Rule /Common/ir_inbound : Connection from external_host:34450 -> vs_ip:443
Feb 19 11:00:49 f5-ltm info tmm2[21115]: Rule /Common/ir_inbound : Connection from external_host:34454 -> vs_ip:443
Feb 19 11:00:49 f5-ltm info tmm[21115]: Rule /Common/ir_inbound : Connection from external_host:34458 -> vs_ip:443
[non-failing connections snipped]
Feb 19 11:00:51 f5-ltm info tmm[21115]: Rule /Common/ir_filter_out : Request rejected from backend server: backend_host:0 -> external_host:34458
Feb 19 11:00:51 f5-ltm info tmm[21115]: Rule /Common/ir_filter_out : Request rejected from backend server: backend_host:443 -> external_host:34458
Feb 19 11:00:51 f5-ltm info tmm[21115]: Rule /Common/ir_filter_out : Request rejected from backend server: backend_host:443 -> external_host:34458
Feb 19 11:00:51 f5-ltm info tmm[21115]: Rule /Common/ir_filter_out : Request rejected from backend server: backend_host:443 -> external_host:34458
Feb 19 11:00:51 f5-ltm info tmm[21115]: Rule /Common/ir_filter_out : Request rejected from backend server: backend_host:443 -> external_host:34458
Feb 19 11:00:51 f5-ltm info tmm[21115]: Rule /Common/ir_filter_out : Request rejected from backend server: backend_host:443 -> external_host:34458
Feb 19 11:00:51 f5-ltm info tmm2[21115]: Rule /Common/ir_filter_out : Request rejected from backend server: backend_host:443 -> external_host:34454
Feb 19 11:00:51 f5-ltm info tmm2[21115]: Rule /Common/ir_filter_out : Request rejected from backend server: backend_host:0 -> external_host:34454
Feb 19 11:00:51 f5-ltm info tmm2[21115]: Rule /Common/ir_filter_out : Request rejected from backend server: backend_host:0 -> external_host:34454
As you can see, the inbound connections get accepted, but for some of them it looks as if the response two seconds later gets interpreted as a new connection and therefore dropped. It happens maybe once or twice per day, at irregular intervals, and has no massive impact as it is only a monitoring tool that then gets the required information the next time.
Several questions:
- Why, oh why does that happen? 🙂
- What can I do to further troubleshoot these connections without massive impact on the system?
- What does it mean if the connection shows 0 as the source port?
Thanks in advance!