For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Chris_Stamm_183's avatar
Chris_Stamm_183
Icon for Nimbostratus rankNimbostratus
Aug 10, 2005

RPC load balancing among multiple tiers using iRules, pools and forwarding

Scenario: We have an app that uses... TCP port 7496 for one piece. TCP port 3372 for another piece. TCP port 135 for DTC that will renegotiate a high port in this case we set the RPC rang...
application delivery
dev
devops
iRules
Chris_Stamm_183's avatar
Chris_Stamm_183
Icon for Nimbostratus rankNimbostratus
Aug 11, 2005
For some reason all ports are being allowed through on both circumstances. AKA I can telnet to the APPVIP (169.25.5.23) address that is listening on the external VLAN on tcp port 3389 (remote desktop since I know it is listening on all the devices on the internal VLAN) and a machine responds. I would think it should discard (drop the packet,deny, send a RST). Here is the information I filled out for the VIP and the code for the iRule. As always, your help is much appreciated.

 

 

------------------------------------------------------------------------

 

Name APPVIP

 

Destination Type: host

 

Address: 169.25.5.23

 

Service Port0

 

State Enabled

 

Configuration: Advanced

 

Type Standard

 

Protocol: TCP

 

Protocol Profile (Client) tcp

 

Protocol Profile (Server) (Use Client Profile)

 

OneConnect Profile None

 

HTTP Profile None

 

FTP ProfileNone

 

SSL Profile (Client) None

 

SSL Profile (Server) None

 

Authentication Profiles

 

Stream Profile None

 

VLAN Traffic Enabled Oninternal

 

Connection Limit 0

 

Address Translation Disabled

 

Port TranslationDisabled

 

SNAT Pool None

 

Clone Pool (Client) None

 

Clone Pool (Server) None

 

Last Hop Pool None

 

 

 

THIS iRULE IS ASSOCIATED WITH THE ABOVE VIP

 


when CLIENT_ACCEPTED {   switch -glob [TCP::local_port] {
      135 -
      3372 -
      749[6789] { pool APP_POOL }
      40??? { pool L6APP01 }
      41??? { pool L6APP02 }
      42??? { pool L6APP03 }
      43??? { pool L6APP04 }
      default { discard }
   }
}

 

 

------------------------------------------------------------------------

 

Name TIER1_PNET_PORTS

 

Destination Type: Network

 

Address: 169.25.5.0

 

Mask: 255.255.255.224

 

Service Port0

 

State Enabled

 

Configuration: Advanced

 

Type Standard

 

Protocol: TCP

 

Protocol Profile (Client) tcp

 

Protocol Profile (Server) (Use Client Profile)

 

OneConnect Profile None

 

HTTP Profile None

 

FTP ProfileNone

 

SSL Profile (Client) None

 

SSL Profile (Server) None

 

Authentication Profiles

 

Stream Profile None

 

VLAN Traffic Enabled Oninternal

 

Connection Limit 0

 

Address Translation Disabled

 

Port TranslationDisabled

 

SNAT Pool None

 

Clone Pool (Client) None

 

Clone Pool (Server) None

 

Last Hop Pool None

 

 

THIS iRULE IS ASSOCIATED WITH THE ABOVE VIP

 


when CLIENT_ACCEPTED {   switch -glob [TCP::local_port] {
      135 -
      3372 -
      749[6789] -
      4[01234]??? { forward }
      default { discard }
   }
}