For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Juha_Suominen_3's avatar
Juha_Suominen_3
Icon for Nimbostratus rankNimbostratus
Oct 17, 2007

"stateful firewall" in inter virtual server routing

Hi,     I had an problem while back when software developer said there should be one way ip connectivity between few networks behind Bigip. Basically routing with firewalling. I tried to solve t...
application delivery
dev
devops
iRules
Juha_Suominen_3's avatar
Juha_Suominen_3
Icon for Nimbostratus rankNimbostratus
Oct 18, 2007
Ok, got some results today. I have a virtual server with 192.168.0.0/16 as a destination network, port any, no translations and this iRule. Suits my needs perfectly. One datamap with syntax allow trafic "from_ip to_ip:port", everything else destioned to 192.168/16 is rejected. One question still, is there a better way to terminate irule when match is found? 


class na_firewall  {
   "192.168.14.2 192.168.10.0/24:22"
   "192.168.14.2 192.168.57.2:80"
}
when CLIENT_ACCEPTED {
set quit 0
foreach line $::na_firewall {
set ip [split $line " "]
set src [split [lindex $ip 0] ":"]
set dst [split [lindex $ip 1] ":"]
if {[IP::addr [IP::client_addr] equals [lindex $src 0]] 
 and [IP::addr [IP::local_addr] equals [lindex $dst 0]] 
 and [TCP::local_port] eq [lindex $dst 1] }{
log "Allowing [IP::client_addr] -> [IP::local_addr]:[TCP::local_port]"
set quit 1
node [IP::local_addr]
break
}
} 
if {!quit} {
log "Rejecting [IP::client_addr] -> [IP::local_addr]:[TCP::local_port]"
reject
}
}