Forum Discussion

Tyler_Hardison_'s avatar
Tyler_Hardison_
Icon for Nimbostratus rankNimbostratus
Jan 24, 2014

Sideband for connections that are not going to a pool?

Hi There! I'm trying to inject a sideband check that queries an internal server for dns blacklisting on the source IP addresses. Because I'm not using pools (low traffic legacy websites) I'm trying...
application delivery
devops
iRules
  • Aaron_Forster_3's avatar
    Aaron_Forster_3
    Jan 24, 2014

    I would use a datagroup for the URL lookup instead of statically modifying the iRule every time you need to make a change. You could do the side band connection in client_accepted like kevin states, then you don't have to continue processing for blacklisted IPs.

    when CLIENT_ACCEPTED {
    set clientAddress [IP::client_addr]

     Do sideband connection like described here
    https://devcentral.f5.com/wiki/irules.sideband-connection-http-example.ashx

    if { sideband tells us this is a bad IP address } {
         Drop it on the floor.
        drop
    }

     If it's not a blacklisted IP we let it continue

}
when HTTP_REQUEST {
    class match here for destination IP based on [HTTP::host]
    https://devcentral.f5.com/wiki/irules.class.ashx
}

    Here's a more elaborate access control iRule which uses data groups instead of a sideband connection

    https://devcentral.f5.com/wiki/iRules.AccessControlBasedOnNetworkOrHost.ashx

Aaron_Forster_3's avatar
Aaron_Forster_3
Historic F5 Account
Jan 24, 2014

I would use a datagroup for the URL lookup instead of statically modifying the iRule every time you need to make a change. You could do the side band connection in client_accepted like kevin states, then you don't have to continue processing for blacklisted IPs.

when CLIENT_ACCEPTED {
    set clientAddress [IP::client_addr]

     Do sideband connection like described here
    https://devcentral.f5.com/wiki/irules.sideband-connection-http-example.ashx

    if { sideband tells us this is a bad IP address } {
         Drop it on the floor.
        drop
    }

     If it's not a blacklisted IP we let it continue

}
when HTTP_REQUEST {
    class match here for destination IP based on [HTTP::host]
    https://devcentral.f5.com/wiki/irules.class.ashx
}

Here's a more elaborate access control iRule which uses data groups instead of a sideband connection

https://devcentral.f5.com/wiki/iRules.AccessControlBasedOnNetworkOrHost.ashx