Forum Discussion
NimbostratusVirtual Server multiple service ports
I am new to F5 devices and load balancers in general, only having limited exposure to some Foundry devices until now. I am curious about what I've read and seen thus far about creating a virtual server and the ports it will allow connections on. Do I really need to create a new virtual server for each port that I want available or am I overlooking something and creating more work for myself?
Thanks,
DarkSide
35 Replies
kamals_48971but if I have to allow different range of address like 19000-20000 and 30000 - 30999 then I tried this but now sure if it is correct b rule tcp_port '{ when CLIENT_ACCEPTED { Check if requested port is outside 18000 - 20999 ,30000 - 30999 if { [TCP::client_port] < 19000 or [TCP::client_port] < 30000 or [TCP::client_port] > 20999 or [TCP::client_port] > 30999
}{
Drop request drop }} }'
- nitass
Employee
is it source port (client port) or destination port (virtual server port)? if it is destination, it is TCP::local_port.
when CLIENT_ACCEPTED { Check if requested port is outside 18000 - 20999, 30000 - 30999 if { not ( [TCP::local_port] >= 18000 and [TCP::local_port] <= 20999 ) and not ( [TCP::local_port] >= 30000 and [TCP::local_port] <= 30999 ) } { Drop request drop } }TCP::local_port
https://devcentral.f5.com/wiki/iRules.tcp__local_port.ashx - kamals_48971
this is destination port. And I need to accept traffic for 19000 - 20999 and 30000 and 30999, the above I rule will drop all the traffic greater than 18000 and less then 20999. Also for 30000 to 30999
- nitassthere is "not" in expression, isn't it?
- kamals_48971
Thanks a lot , I will try tomorrow and let you know. Kamal
Desai_124243Hi,
I like to allow only TCP 80, TCP 443, UDP 500 & UDP 4500 on 0 port Virtual . Is below IRULE configuration right?
when CLIENT_ACCEPTED { Check if requested port is allowing only TCP 443, TCP 80, UDP 4500 and UDP 500 if { ( [TCP::client_port] != 443 or [TCP::client_port] != 80 or [UDP::client_port] != 500 or [UDP::client_port] != 4500 ) } { Drop request drop } }
Thanks
- kamal_48965
Please add not after if statement
if { not ( [TCP::client_port] != 443 or [TCP::client_port] != 80 or [UDP::client_port] != 500 or [UDP::client_port] != 4500 ) } { Drop request drop } } drop } }
- kamal_48965???
- Desai_124243
Its works.
Thanks for helping
Jason_HawkeYou can configure one virtual server for all ports but that creates a security vulnerability. Its better to have a virtual server for each application service port you need - that way you are limiting your network exposure to just those known ports.
The other advantage to having multiple virtual servers for each port is it allows you to have better insight as to the health and availability of your application. You will know if a particular component is down or not (HTTPS is up on the web server but the app server is down for instance).
Lastly, each virtual server will have corresponding profiles that can help in logging events. If you're using AVR (which I hope you are) or at least request logging then you can see each transaction as it transverses both the F5 and your application.
ShakeelRashidGuys,
Is it possible to use a data group list to list the port numbers? i.e. something like the below where Defined_Ports references an integer or string Data Group List?
when CLIENT_ACCEPTED {
if { not ([matchclass [TCP::local_port] equals Defined_Ports]) }{ log local0. "Invalid Port: [TCP::local_port] - discarding" discard } }
- pirusti
i have the ip of a vip and i need to understand on which ltm is this configured. Is using tracert from cmd the only way ?
