For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

VGF5's avatar
VGF5
Icon for Cumulonimbus rankCumulonimbus
Aug 06, 2018

SMTP VIP

Hi DC Experts,   Created VIP for SMTP from 10.x.x.x/28 range. But now we want to allow traffic from different subnets through F5. Can we do that ? If we can, please suggest steps for that.   Ex...
application delivery
BIG-IP
LTM
KevinA_246454's avatar
KevinA_246454
Icon for Cirrostratus rankCirrostratus
Aug 08, 2018

if you dont want to use the Irule setup the F5 has a feuture called packet filters.

 

1st create a rule to allow your source ip subnets to connect to vip to port 25 2nd create a rule to reject/discard any to your vip on port 25.

 

That is it the packet filters has the build in option to log as well so you can test it out and see if it blocks incoming connections. The nice thing is the packet filter can either send a connection reset or when discard is selected it can silently drop the connection which is pretty cool from a security perspective.

 

here below is a example of my packet filter configuration

 

root@(bipipbrplab01)(cfg-sync Disconnected)(Active)(/Common)(tmos) list net packet-filter net packet-filter allowtoport80 { action accept order 5 rule "( src net 172.16.1.14/32 ) and ( dst net 10.1.10.11/32 ) and ( dst port 80 )" } net packet-filter blocktoport80 { action reject logging enabled order 10 rule "( src net 192.168.1.0/24 ) and ( dst net 10.1.10.11/32 ) and ( dst port 80 )" } root@(bipipbrplab01)(cfg-sync Disconnected)(Active)(/Common)(tmos)

 

Logs

 

Wed Aug 8 10:45:52 SAST 2018 notice 01250004 /Common/blocktoport80 (1): reject on /Common/external, len: 66 [IPv4 52 192.168.1.15 -> 10.1.10.11 TCP 52231 -> 80 S]