For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

John_Masgalas_4's avatar
John_Masgalas_4
Icon for Nimbostratus rankNimbostratus
Feb 22, 2008

smtp access control

We are testing prrof of concept of load balancing our smtp servers. It seems to be working fine except that the smtp servers see the bigip IP address instead of the client address. This is due to us using SNAT. This in turn takes the acl on the smtp servers completely out. So I wanted to see whether I could write an iRule to only accept certain clients. Something like the below:

 

 

If client ip matches (10.32.77.2, 10.32.77.84, 172.17.40.26)

 

use pool (smtp_pool)

 

else reject

 

 

Now I am not good at writing iRules at all so I am not sure how to go about it. Can someone help me out?
application delivery
dev
devops
iRules

2 Replies

  • kykong_107132's avatar
    kykong_107132
    Icon for Nimbostratus rankNimbostratus
    Feb 22, 2008
    Hi,

     

     

    you can use match class. create a data group (class) with all the legitimate client IP addresses. using iRule to check if not the IP address within the data group, drop it.

     

     

    class clientIP{

     

    1.1.1.1

     

    2.2.2.2

     

    3.3.3.3

     

    }

     

     

    when CLIENT_ACCEPTED {

     

    if { [matchclass [IP::remote_addr] equals $::clientIP] } {

     

    pool smtp_pool

     

    } else {

     

    reject

     

    }

     

    }

     

     

    regards,

     

    KY
  • kykong_107132's avatar
    kykong_107132
    Icon for Nimbostratus rankNimbostratus
    Feb 23, 2008
    HI Nat,

     

     

    I agreed with you.packet filter is another option, just that must be very careful when configure packet filter, because it might affect other traffic to other virtual server.

     

     

    regards,

     

    KY