Forum Discussion

Joern_Oltmann's avatar
Joern_Oltmann
Icon for Nimbostratus rankNimbostratus
Feb 11, 2013

Restrict Access for outgoing connect

Hi all,

 

one question. My internal App-Server use Google Maps. So i would like to restrict only the Google Network for these Server. My first idea, a outgoing virtual Server on my Big IP. That with an iRule very easy. But Google has 10 Networks, that means 10 virtual each for one network. No a good solution, or? Has Anyone a better solution for me?

 

 

9 Replies

  • isn't it just one wildcard virtual server (0.0.0.0/0)?? did i miss something?
  • I agree with Nitass, you should configure a wildcard Virtual Server. You can then either user a Packet Filter or an iRule to restrict the traffic flow, for instance;

    
    Create a Data Group (called destination_ips below) with just the IP addresses/networks 
    of the hosts you’d like to allow access to
    
    when CLIENT_ACCEPTED {
     if { not [class match [IP::local_addr] equals destination_ips] } {
       reject }
    }
    

    You could also add a source host check to ensure only specific servers are permitted access.
  • That may Problem,

     

     

    I have one wildcard server only for two specific hosts.

     

    These two host have access to all networks with http. But my App-Server should only connect to google with http/https.

     

    It is possible to create two wildcard servers??? And which wildcard server is used?

     

     

    Thanks for help

     

    Jörn
  • you cannot have two virtual servers listening on same address and port. same address but different port is okay. anyway, i think combining them to one wildcard virtual server would be better.

     

     

    sol6459: Order of precedence for virtual server matching

     

    http://support.f5.com/kb/en-us/solutions/public/6000/400/sol6459.html
  • OK, I think this covers it. Let me know if I need to restrict the two servers to port 80 only;

    
    addresses/networks of the hosts you'd like to allow access to for a 
    particular source
    
    when CLIENT_ACCEPTED {
     Is this the app server?
     if { [IP::addr [IP::client_addr] equals 1.1.1.1] } {
      Is it going to a Google IP?
      if { not [class match [IP::local_addr] equals destination_ips] } {
       If not, reject the traffic
       reject
       Stop processing the rule
       return
      }
     }
     Is this one of the servers with full access?
     elseif { [IP::addr [IP::client_addr] equals {11.1.1.1 or 11.1.1.2}] } {
      Stop processing the rule (allow the traffic to anywhere)
      return
     }
     else {
      Reject the traffic if there is no match above
      reject
     }
    }
    
  • Hi looks like good, but is it posibble to use hostname like api.google.com instead of ip Networks (goggle has a lot of networks ;-)
  • We could do that (for HTTP, not HTTPS) but you would have to apply a HTTP profile to the VS and then it would only be able to handle HTTP traffic, not SSL/TLS or anything else.

     

     

    You could create a specific port 80 wildcard VS but that still wouldn't help with the HTTPS connections. I guess you could mix and match as you need. Myself, I'd use the rule and build that list.
  • Hi Steve,

     

     

    now i use DataGroup instead IPs in the IRules. But it works fine!

     

     

    Thanks a lot for help!!!!!!

     

     

    Regards

     

    Jörn
  • Sounds good, you're welcome. Have you tested from a 'disallowed' host to be sure? [Just checkin' =]