I have an iRule that calls on a datagroup to block outbound traffic from my office to certain countries. The iRule is working, but I am using iRule event "server_connected" and when that occurs it just drops the connection. However, I would like to drop this connection before the actual connection to the remote server occurs. The concern being that there is a TCP handshake that occurs with the remote server using this iRule. Is there a way to set this up by using a DNS query or a geolocate function and if the query returns that the server is in one of the countries in the blacklist datagroup, the connection is denied/rejected?
Here is my current iRule with "OutboundBlackList" being the datagroup with the list of blocked countries.
when SERVER_CONNECTED {
if {([class match [whereis [IP::server_addr] country] equals "OutboundBlacklist"])}{
reject
}
}
Interesting. Thank you for that suggestion. So just replace SERVER_CONNECTED with LB_SELECTED in the iRule? Could you elaborate some on what LB_SELECTED does? The page is quite vague about how it works...
In the LB_SELECTED event you can get information about which pool member is selected and take some action on it. In this event you can evaluate the results of LB::server. You can use this to replace IP::server_addr in your current iRule. See the first iRule example in the article below.
I guess I didn't specify, but my f5 is acting as a firewall. I didn't set it up this way, but it is performing the traffic filtering, not a firewall. Would LB_SELECTED still apply in this case? I just want to drop the traffic before connecting to the remote server rather than after it connects. Would I use HTTP_REQUEST rather than SERVER_CONNECTED? If I should still use LB_SELECTED, would you mind editing my rule to show an example?
Sorry for all the questions, I'm still trying to get my head wrapped around how iRules work, especially with the way the system is configured. I really appreciate your time.
Try creating a new virtual server, where it's safe to experiment with the iRule. You can try the iRule below.
when LB_SELECTED {
log local0. "LB_SELECTED: debug"
if ([class match [whereis [LB::server addr] country] equals "OutboundBlacklist"])}{
log local0. "LB_SELECTED: [LB::server addr] found on OutboundBlacklist -> reject"
reject
}
}
when SERVER_CONNECTED {
log local0. "SERVER_CONNECTED: debug"
if {([class match [whereis [IP::server_addr] country] equals "OutboundBlacklist"])}{
log local0. "SERVER_CONNECTED: [IP::server_addr] found on OutboundBlacklist -> reject"
reject
}
}
As you can see the iRule contains some extra logging options. You should see the output in /var/log/ltm. Try sending some traffic through your test virtual server and check the logs.
About the HTTP_REQUEST event. When this event is triggered, there is no information about the server side server IP-address yet. Remember you have the client side client, client side server, server side client and server side server IP-addresses. Your action needs to to match the server side server IP-address.
