For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

karlg_49229's avatar
karlg_49229
Icon for Nimbostratus rankNimbostratus
Jan 21, 2012

UDP DST Port Range Load Balancing Rule

There is no TCP connection associated with these packets - it is raw UDP only, between port ranges 9000 to 9100 on the DST side, and targeted to a particular IP address.

 

 

Can I humbly ask the advice of an iRule expert for the rule syntax? We tried a few and so far no luck.

 

 

Best,

 

Karl G.

 

application delivery
dev
devops
iRules

3 Replies

  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Jan 21, 2012
    Hi Karl,

    Do you want to allow UDP packets destined for ports 9000 - 9100 and block all others? If so, you can create a virtual server with either a UDP profile or a Performance L4 virtual and use an iRule like this: 

    

when CLIENT_ACCEPTED {
if {[UDP::local_port] >= 9000 and [UDP::local_port] <= 9100}{
 Allow
} else {
 Send the client a reset
reject
}
}

    Aaron
  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Jan 27, 2012
    Great. For performance, it would be a lot more efficient to use a PerfL4 VS.

     

     

    Aaron
  • Al_7601's avatar
    Al_7601
    Icon for Nimbostratus rankNimbostratus
    Feb 28, 2012
    Hi Aaron,

     

    I work with Karl and I am trying to figure out if something I am seeing is because of this rule or something else. Along with this rule, we have a pool on the Virtual Server. The issue I am seeing is that even if I remove the first server in the pool and hope to see traffic only going to the second and third, traffic still makes it to the first server. I also disable the node and still see traffic to this first server. What do you think can be going on?

     

     

    Best Regards,

     

     

    Al