Forum Discussion

Matt_Breedlove_'s avatar
Matt_Breedlove_
Icon for Nimbostratus rankNimbostratus
May 17, 2011

Timelimited or session limited class match

I once worked with a product that would allow a user to authenticated to the product using a java applet. Once authenticated that user could have access on certain ports, only from the source IP that an activate authenticated is currently auth'd on. As soon as the applet is closed, the ports are denied again for that user.

 

So a port access rule would allow from to port X. This way port X could be off all the time except for when actually needed based on legit users knowing that first they need to java app auth to the product before the port will be open to them

 

 

Is something similar, though more basic possible or safe with irules? What I had in mind was requiring a user to send a single GET request against a VS using a particular URI string that would create perhaps a session table entry or var that allows the source ip of that GET request access to use another VS for the next 30 minutes.

 

 

Thinking about this there seems like lots of options.

 

 

here is a first stab. Setup a VS on port 9007 with an irule that checks for the special URI auth string and if it matches then take note of the calling source IP and update a global var/array/datagroup/table by adding the source ip with an expire time. The second VS where the safe service is located would have an irule that checks all access against that global var for each new connection.

 

In the first irule i would make sure that only 5 concurrent IP addresses are allowed access at the same time, to prevent a memory overflow condition in that var/array from a ddos or some such thing

 

 

Main question is I basically want a list object of source ip addresses, max 5, stored and accessible across two VS's. Something I can "match class" against if possible vs trying to store 5 IP's in a scalar global/table var

 

 

Tracking the expire time and enforcing it seems to complicate it. An easier method might be to literally have the inialt AUTH GET request simply add a 1 dimensional source ip to a list, with not expire time. Then have the second VS irule, only work on the TCP connection level so that it will allow the TCP session to connect, before removing that source IP from the object, meaning the client would have the duration of one TCP connection to use the safe service, and would need to do more AUTH GET's to perpetuate it in case the TCP session gets shudown and resetup.

 

This would be to secure a transfer service, so once connection its transferring date constantly until completion, so I would expect a single TCP session to suffice. People should not be pausing long enough to allow the TCP connection to timeout. Maybe I am being naive and this would be a pain for the users. Sacrifice a little to get

 

 

In general are there any concerns with this idea? Has it been done before?

 

 

 

  • Hi Matt,

     

     

    That does seem doable with an iRule. And assuming you have a secure method for validating access to the special URIs it should be safe.

     

     

    I'd use a single iRule which adds the client IP and allowed port(s) to a subtable using the table command. You can set a lifetime on the record to enforce a session timeout. See the table command and subtable series for details:

     

     

    http://devcentral.f5.com/wiki/default.aspx/iRules/table

     

    http://devcentral.f5.com/Tutorials/TechTips/tabid/63/articleType/ArticleView/articleId/2375/v101--The-table-Command--The-Basics.aspx

     

     

    If you get stuck try posting the issue(s), code you're testing and debug logging. Else, when you get something working, it would make a great Codeshare example:

     

     

    http://devcentral.f5.com/wiki/default.aspx/iRules/codeshare

     

     

    Aaron