Forum Discussion
pallocca_73085
Nimbostratus
Nimbostratuswildcard VS with iRule to limit TCP ports it accepts
Instead of creating five VS listening on five different ports I want to create a single "wildcard" VS accepting all ports and use an iRule to limit the ports the VS accepts.
1st. is this a good idea or is there a more efficient way of accomplishing this?
2nd. I am pretty new at writing iRules and am having some syntax errors on the rule I wrote (any tips??) -->
when CLIENT_ACCEPTED {
if { not([TCP::local_port] == 443) ||
not([TCP::local_port] == 1352) ||
not([TCP::local_port] == 1533) ||
not([TCP::local_port] == 8082) ||
not([TCP::local_port] == 8088)}
{drop}
}
- nitass
Employee
is it applicable?
access control based on network or host
http://devcentral.f5.com/wiki/default.aspx/iRules/AccessControlBasedOnNetworkOrHost.html 
pallocca_73085absolutely. i read through that article but just wanted to change the logic a bit (did not want to use data groups).struggling with the syntax. missing a bracket somewhere.
hoolioCirrostratus
Here you go:when CLIENT_ACCEPTED { Check the client's destination port to see if it's allowed switch [TCP::local_port] { 443 - 1352 - 1533 - 8082 - 8088 { Do nothing as the default action will be to use the VS's default pool } default { drop } } }
Aaron
DeVon_JarvisAltostratus
This is a good way to go if you need a bunch of ports open. Here is a rule we use...
when CLIENT_ACCEPTED {
if { not ([TCP::local_port] == 4021 || ([TCP::local_port] >= 40000 && [TCP::local_port] <= 41000)) } {
reject
}
}
