Forum Discussion

Juha_Suominen_3's avatar
Juha_Suominen_3
Icon for Nimbostratus rankNimbostratus
Oct 17, 2007

"stateful firewall" in inter virtual server routing

Hi,

 

 

I had an problem while back when software developer said there should be one way ip connectivity between few networks behind Bigip. Basically routing with firewalling. I tried to solve this by wring an irule, but I was little bit concerned about security and really i don't have too much experience with irules. So I ended up doing virtual servers that are doing the trick. Now we are rolling out 7 new networks and there should be one way connectivity with several networks and services between the networks. My virtual server solution is becoming little bit hard to upkeep and I was wondering if someone here had a better solution or suggestion how to deal with this?

 

 

 

Here's some more background info

 

I have a network like one in the simplified attachment. I have bunch of servers segmented in different vlans&networks. BIGIP acts as a gateway for those networks. Servers can access internet via snat.

 

 

192.168.1.0/24 AppFarm1

 

192.168.2.0/24 AppFarm2

 

192.168.3.0/24 Logic

 

 

Servers from the 192.168.3.0/24 segment should be able to access individual nodes located on other two network segments. But servers in 192.168.1.0/24 and 192.168.2.0/24 should not be able to access any other network segment beside their own. More over my current solution translates the network addresses and is not really routing. This is ok, but routing without NAT is much prefered.

 

 

Juha
application delivery
dev
devops
iRules
  • Juha_Suominen_3's avatar
    Juha_Suominen_3
    Icon for Nimbostratus rankNimbostratus
    Oct 18, 2007
    Ok, got some results today. I have a virtual server with 192.168.0.0/16 as a destination network, port any, no translations and this iRule. Suits my needs perfectly. One datamap with syntax allow trafic "from_ip to_ip:port", everything else destioned to 192.168/16 is rejected. One question still, is there a better way to terminate irule when match is found? 

    
class na_firewall  {
   "192.168.14.2 192.168.10.0/24:22"
   "192.168.14.2 192.168.57.2:80"
}
when CLIENT_ACCEPTED {
set quit 0
foreach line $::na_firewall {
set ip [split $line " "]
set src [split [lindex $ip 0] ":"]
set dst [split [lindex $ip 1] ":"]
if {[IP::addr [IP::client_addr] equals [lindex $src 0]] 
 and [IP::addr [IP::local_addr] equals [lindex $dst 0]] 
 and [TCP::local_port] eq [lindex $dst 1] }{
log "Allowing [IP::client_addr] -> [IP::local_addr]:[TCP::local_port]"
set quit 1
node [IP::local_addr]
break
}
} 
if {!quit} {
log "Rejecting [IP::client_addr] -> [IP::local_addr]:[TCP::local_port]"
reject
}
}