Hello, I am new to F5 devices and load balancers in general, only having limited exposure to some Foundry devices until now. I am curious about what I've read and seen thus far about creating a virtual server and the ports it will allow connections on. Do I really need to create a new virtual server for each port that I want available or am I overlooking something and creating more work for myself? Thanks, DarkSide

You can configure a VIP on port 0 (any port) and then use an iRule or IP filters to restrict which destination ports can be used. Here is an example iRule which drops requests outside of a range of ports: when CLIENT_ACCEPTED { Check if requested port is outside 1000 - 2000 if { [TCP::client_port] < 1000 or [TCP::client_port] > 2000}{ Drop request drop } } Aaron

In general the LTM is default-deny device, so yes if you do not configure a virtual for each port you need then the traffic will be blocked. That being said, you can create virtuals and pools on port 0 (any port). That will allow all ports to communicate on that virtual. The downside is that you have to create custom monitors for health checks on the pool, because the default monitors are set up to check whatever port the pool members are configured on. Since you can't health check port 0, you have to define a custom monitor that explicitly calls the port you need to check on the servers. So if you only need 3 or 4 ports, I would recommend going ahead and configuring one vip per port, that way you can take advantage of the granularity to be able to tweak settings as you wish (and see separate statistics). If on the other hand you have an application that might open up 100 different ports, then I'd advise using a wildcard port 0 vip and creating a custom health monitor. Denny

Aaron - I am just begining to learn the iRules and have only created simple HTTP/HTTPS redirects thus far. Your example sounds interesting and I'll have to play around some. Denny - I am indeed only concerned with a few ports, mostly HTTP, HTTPS, SSH, FTP for various hosts. The mention of the statistics, was not something I had thought about and with that in mind, can see the benefit of having the different virtuals setup. I really appreciate the replies and am glad to see that there is a good community that I can turn to with what I am sure is just the first of many questions...after I RTFM of course. :-)

If it's only a few ports and the protocol isn't the same, I agree with Denny that it's better to configure individual VIPs. As he suggested, this allows you to configure protocol-specific profiles and tweak the settings according to the protocol. The port range option is better if it's a lot of ports--particularly if it's the same protocol. Aaron

Sorry for the bump, but could someone help me out with the proper syntax for something like: when CLIENT_ACCEPTED { Check if requested port is outside 1000 - 2000 if { [TCP::client_port] < 1000 or [TCP::client_port] > 2000 or [TCP::client_port] not 3389 or [TCP::client_port] not 1500 or [TCP::client_port] not 161 }{ Drop request drop } I'm trying to allow a range (12000-13000) and several individual ports, but drop/reject the rest. Thanks, Josh

Virtual Server multiple service ports

35 Replies

kamals_48971
Nimbostratus
Sep 01, 2014
this is destination port. And I need to accept traffic for 19000 - 20999 and 30000 and 30999, the above I rule will drop all the traffic greater than 18000 and less then 20999. Also for 30000 to 30999
- nitass
  Employee
  Sep 01, 2014
  there is "not" in expression, isn't it?
kamals_48971
Nimbostratus
Sep 01, 2014
Thanks a lot , I will try tomorrow and let you know. Kamal
Desai_124243
Nimbostratus
Oct 20, 2015
Hi,

I like to allow only TCP 80, TCP 443, UDP 500 & UDP 4500 on 0 port Virtual . Is below IRULE configuration right?

when CLIENT_ACCEPTED { Check if requested port is allowing only TCP 443, TCP 80, UDP 4500 and UDP 500 if { ( [TCP::client_port] != 443 or [TCP::client_port] != 80 or [UDP::client_port] != 500 or [UDP::client_port] != 4500 ) } { Drop request drop } }

Thanks
kamal_48965
Nimbostratus
Oct 21, 2015
Please add not after if statement

if { not ( [TCP::client_port] != 443 or [TCP::client_port] != 80 or [UDP::client_port] != 500 or [UDP::client_port] != 4500 ) } { Drop request drop } } drop } }
- kamal_48965
  Nimbostratus
  Oct 22, 2015
  ???
Desai_124243
Nimbostratus
Oct 22, 2015
Its works.

Thanks for helping
Jason_Hawke
Nimbostratus
Nov 30, 2016
You can configure one virtual server for all ports but that creates a security vulnerability. Its better to have a virtual server for each application service port you need - that way you are limiting your network exposure to just those known ports.

The other advantage to having multiple virtual servers for each port is it allows you to have better insight as to the health and availability of your application. You will know if a particular component is down or not (HTTPS is up on the web server but the app server is down for instance).

Lastly, each virtual server will have corresponding profiles that can help in logging events. If you're using AVR (which I hope you are) or at least request logging then you can see each transaction as it transverses both the F5 and your application.
ShakeelRashid
Nimbostratus
Sep 19, 2017
Guys,

Is it possible to use a data group list to list the port numbers? i.e. something like the below where Defined_Ports references an integer or string Data Group List?

when CLIENT_ACCEPTED {

if { not ([matchclass [TCP::local_port] equals Defined_Ports]) }{ log local0. "Invalid Port: [TCP::local_port] - discarding" discard } }
pirusti
Nimbostratus
Jan 08, 2018
i have the ip of a vip and i need to understand on which ltm is this configured. Is using tracert from cmd the only way ?
benjamin_gate_3
Nimbostratus
Jul 22, 2018
Guys, I'm hitting my head against a brick wall! I'm trying to allow clients to connect only on ports 443 or 2030 but it's not working - they can connect on any port!?

I've got this iRule:

when CLIENT_ACCEPTED { if { not ([TCP::local_port] == 443) or ([TCP::local_port] == 2030) }{ reject } }

and I've followed the instructions above (same result) as well as K6018 to enable PAT on the vServer (same result); I've even tried 'serverside' and 'clientside' after local_port in the iRule (same result); I've tried drop - same result. I've also tried other iRules from other threads e.g. with words like client_port !=443...

The only time I can't connect on other ports is if I change the service port on the vServer to 443, otherwise, I can always telnet into this vServer on any of the other ports (i.e. the iRule is not working). I've bound the iRule to the vServer in the resources tab (the HTTP > HTTPS redirect worked when I bound it here so I'm thinking this is the right place?). Just to be sure, I made new vServer with no extra settings such as HTTP profile etc. but still, can go straight through. I'm on 13.1.0.8. What am I missing?
- Niels_van_Sluis
  MVP
  Jul 22, 2018
  You could try this:
  
  when CLIENT_ACCEPTED { switch [TCP::local_port] { "443" - "2030" { allow log local0.info "accept" } default { log local0.info "reject" reject } } }
benjamin_gate
Altostratus
Jul 22, 2018
Guys, I'm hitting my head against a brick wall! I'm trying to allow clients to connect only on ports 443 or 2030 but it's not working - they can connect on any port!?

I've got this iRule:

when CLIENT_ACCEPTED { if { not ([TCP::local_port] == 443) or ([TCP::local_port] == 2030) }{ reject } }

and I've followed the instructions above (same result) as well as K6018 to enable PAT on the vServer (same result); I've even tried 'serverside' and 'clientside' after local_port in the iRule (same result); I've tried drop - same result. I've also tried other iRules from other threads e.g. with words like client_port !=443...

The only time I can't connect on other ports is if I change the service port on the vServer to 443, otherwise, I can always telnet into this vServer on any of the other ports (i.e. the iRule is not working). I've bound the iRule to the vServer in the resources tab (the HTTP > HTTPS redirect worked when I bound it here so I'm thinking this is the right place?). Just to be sure, I made new vServer with no extra settings such as HTTP profile etc. but still, can go straight through. I'm on 13.1.0.8. What am I missing?
- Niels_van_Sluis
  MVP
  Jul 22, 2018
  You could try this:
  
  when CLIENT_ACCEPTED { switch [TCP::local_port] { "443" - "2030" { allow log local0.info "accept" } default { log local0.info "reject" reject } } }