Forum Discussion

Tyler_Hardison_'s avatar
Tyler_Hardison_
Icon for Nimbostratus rankNimbostratus
Jan 24, 2014

Sideband for connections that are not going to a pool?

Hi There! I'm trying to inject a sideband check that queries an internal server for dns blacklisting on the source IP addresses. Because I'm not using pools (low traffic legacy websites) I'm trying...
application delivery
devops
iRules
  • Aaron_Forster_3's avatar
    Aaron_Forster_3
    Jan 24, 2014

    I would use a datagroup for the URL lookup instead of statically modifying the iRule every time you need to make a change. You could do the side band connection in client_accepted like kevin states, then you don't have to continue processing for blacklisted IPs.

    when CLIENT_ACCEPTED {
    set clientAddress [IP::client_addr]

     Do sideband connection like described here
    https://devcentral.f5.com/wiki/irules.sideband-connection-http-example.ashx

    if { sideband tells us this is a bad IP address } {
         Drop it on the floor.
        drop
    }

     If it's not a blacklisted IP we let it continue

}
when HTTP_REQUEST {
    class match here for destination IP based on [HTTP::host]
    https://devcentral.f5.com/wiki/irules.class.ashx
}

    Here's a more elaborate access control iRule which uses data groups instead of a sideband connection

    https://devcentral.f5.com/wiki/iRules.AccessControlBasedOnNetworkOrHost.ashx

Tyler_Hardison_'s avatar
Tyler_Hardison_
Icon for Nimbostratus rankNimbostratus
Jan 24, 2014

The backend will be a REST service that does several different checks. The URL looks like:

 

http://thisserver.local/ipcheck?address=1.1.1.1

 

It returns:

 

Things are OK. { ip: "1.1.1.1", status: "no" }

 

Things are not OK. { ip: "1.1.1.1", status: "some long string, but not no"}

 

If necessary, I could (in theory) make it not HTTP. But the server for checking stores most transactions in memory. Also, performance is not a top priority as much as security is.