Forum Discussion
CumulonimbusSMTP VIP
Hi DC Experts,
Created VIP for SMTP from 10.x.x.x/28 range. But now we want to allow traffic from different subnets through F5. Can we do that ? If we can, please suggest steps for that.
Ex: Source from 10.x.x.x/28, 11.x.x.x/28, 12.x.x.x/28 Destination : VIP
Thanks in advance.
KevinA_246454Cirrostratus
You can do a Irule based on source IP addresses, add a datagroup 1st with your ip address you want to allow. you can find the data group under local traffic manager irules. setup your allowed ip addresses then you can apply the below Irule on your virtual server
when CLIENT_ACCEPTED { if { not ( [class match [IP::client_addr] equals allow] ) } { reject } }
- KevinA_246454
if you dont want to use the Irule setup the F5 has a feuture called packet filters.
1st create a rule to allow your source ip subnets to connect to vip to port 25 2nd create a rule to reject/discard any to your vip on port 25.
That is it the packet filters has the build in option to log as well so you can test it out and see if it blocks incoming connections. The nice thing is the packet filter can either send a connection reset or when discard is selected it can silently drop the connection which is pretty cool from a security perspective.
here below is a example of my packet filter configuration
root@(bipipbrplab01)(cfg-sync Disconnected)(Active)(/Common)(tmos) list net packet-filter net packet-filter allowtoport80 { action accept order 5 rule "( src net 172.16.1.14/32 ) and ( dst net 10.1.10.11/32 ) and ( dst port 80 )" } net packet-filter blocktoport80 { action reject logging enabled order 10 rule "( src net 192.168.1.0/24 ) and ( dst net 10.1.10.11/32 ) and ( dst port 80 )" } root@(bipipbrplab01)(cfg-sync Disconnected)(Active)(/Common)(tmos)
Logs
Wed Aug 8 10:45:52 SAST 2018 notice 01250004 /Common/blocktoport80 (1): reject on /Common/external, len: 66 [IPv4 52 192.168.1.15 -> 10.1.10.11 TCP 52231 -> 80 S]