Forum Discussion
Joern_Oltmann
Nimbostratus
NimbostratusRestrict Access for outgoing connect
Hi all,
one question. My internal App-Server use Google Maps. So i would like to restrict only the Google Network for these Server. My first idea, a outgoing virtual Server on my Big IP. That with an iRule very easy. But Google has 10 Networks, that means 10 virtual each for one network. No a good solution, or? Has Anyone a better solution for me?
9 Replies
- nitass
Employee
isn't it just one wildcard virtual server (0.0.0.0/0)?? did i miss something? 
What_Lies_Bene1Cirrostratus
I agree with Nitass, you should configure a wildcard Virtual Server. You can then either user a Packet Filter or an iRule to restrict the traffic flow, for instance;Create a Data Group (called destination_ips below) with just the IP addresses/networks of the hosts you’d like to allow access to when CLIENT_ACCEPTED { if { not [class match [IP::local_addr] equals destination_ips] } { reject } }
You could also add a source host check to ensure only specific servers are permitted access.
Joern_OltmannThat may Problem,
I have one wildcard server only for two specific hosts.
These two host have access to all networks with http. But my App-Server should only connect to google with http/https.
It is possible to create two wildcard servers??? And which wildcard server is used?
Thanks for help
Jörn- nitassyou cannot have two virtual servers listening on same address and port. same address but different port is okay. anyway, i think combining them to one wildcard virtual server would be better.
sol6459: Order of precedence for virtual server matching
http://support.f5.com/kb/en-us/solutions/public/6000/400/sol6459.html - What_Lies_Bene1OK, I think this covers it. Let me know if I need to restrict the two servers to port 80 only;
addresses/networks of the hosts you'd like to allow access to for a particular source when CLIENT_ACCEPTED { Is this the app server? if { [IP::addr [IP::client_addr] equals 1.1.1.1] } { Is it going to a Google IP? if { not [class match [IP::local_addr] equals destination_ips] } { If not, reject the traffic reject Stop processing the rule return } } Is this one of the servers with full access? elseif { [IP::addr [IP::client_addr] equals {11.1.1.1 or 11.1.1.2}] } { Stop processing the rule (allow the traffic to anywhere) return } else { Reject the traffic if there is no match above reject } } - Joern_OltmannHi looks like good, but is it posibble to use hostname like api.google.com instead of ip Networks (goggle has a lot of networks ;-)
- What_Lies_Bene1We could do that (for HTTP, not HTTPS) but you would have to apply a HTTP profile to the VS and then it would only be able to handle HTTP traffic, not SSL/TLS or anything else.
You could create a specific port 80 wildcard VS but that still wouldn't help with the HTTPS connections. I guess you could mix and match as you need. Myself, I'd use the rule and build that list. - Joern_OltmannHi Steve,
now i use DataGroup instead IPs in the IRules. But it works fine!
Thanks a lot for help!!!!!!
Regards
Jörn - What_Lies_Bene1Sounds good, you're welcome. Have you tested from a 'disallowed' host to be sure? [Just checkin' =]
