Forum Discussion

Daniel_Beckham_'s avatar
Daniel_Beckham_
Icon for Nimbostratus rankNimbostratus
Feb 05, 2016

Using ip filter-list on Linerate causes connection reset for *ALL* requests

My setup: LineRate version 2.6.1 running in master/failover mode on VMWare

When using the 

ip filter-list
feature of the LineRate software, instead of filtering on the source addresses in the list, the LineRate sendsconnection resets for ALL incoming HTTP traffic to the virtual-ip the filter is applied to, whether the source address was listed in the rule or not.

Example 

ip filter-list
config:

ip filter-list bad_actors
 2 deny 104.199.152.55/32

Then this is applied to a virtual-ip:

virtual-ip vip_myvip
 ip address 1.1.1.1 80
 base vipbase_default
 attach ip-filter bad_actors

As soon as that is applied, the LineRate begins responding with a connection reset. My IP address is obviously not IP in the deny line. Removing the filter from the virtual-ip with 

no attach ip-filter bad_actors
will restore connectivity.

What's going on here? Does the use of a filter-list require at least one permit line to allow traffic? If so, the docs do not mention that at all, nor is it possible to say 

 permit any
.

What do I need to do in order to be able to deny incoming traffic from certain source addresses?

application delivery
linerate
security
  • Ashok_Mudukutor's avatar
    Ashok_Mudukutor
    Historic F5 Account
    Feb 05, 2016

    Hi Daniel.

    When you attach an ip-filter to any entity (for example, virtual-ip), the default rule is to deny all traffic. In the use case you describe, you would need a lower priority (i.e., higher in number) 'permit any' rule on the ip filter-list to allow all other traffic:

    ip filter-list bad_actors
 2 deny 104.199.152.55/32
 1000 permit 0.0.0.0/0

    We have updated the docs to describe the default deny behavior.

    Thanks, Ashok

  • Daniel_Beckham_'s avatar
    Daniel_Beckham_
    Icon for Nimbostratus rankNimbostratus
    Feb 05, 2016

    Thanks for your help and thank you for quickly updating the documentation. I did try 

    100 permit any
    and 
    100 permit 0.0.0.0
    , but it never occurred to me to try it with 
    /0
    .

    The documentation was serious deficient as far as this goes and caused a full site outage for us over something so simple to have been missed. I love the LineRate and it's flexibility, but I struggle with the documentation. From this, to the CARP and failover mess, to crazy licensing issues (mostly with failover), and the general assumption of so much information that either doesn't exist in the docs at all, or is in a completely separate, referenced section, it's hard solve serious problems with the LineRate. I hope F5 has an interest in working to make the LineRate a more professional offering. The f5 twitter feed sure thinks that it's the only way to load balance...