Forum Discussion
hooleylist
Sep 01, 2011Cirrostratus
Not really. Your SE gave you a novel solution. But the shortcoming is that it don't support the native network parsing of an address type datagroup.
Another approach would be to create a separate set of datagroups per protocol. This will support source networks, but not destination networks. If you want destination network support, I think you'd need to change datagroups with one source network datagroup which points to other destination datagroups.
class fw_icmp_rules_class {
{
network 10.10.14.0/24 {"8.8.8.8:8,4.2.2.2:8,4.2.2.1:8"}
network 10.11.14.0/24 {"4.2.2.4:8,4.2.2.3:8,4.2.2.2:8,4.2.2.1:8"}
network 10.12.14.0/24 {"203.8.183.1:8"}
}
}
class fw_tcp_rules_class {
{
network 10.10.14.0/24 { "63.166.98.107:80,1.2.3.4:80,1.2.3.4:443" }
network 10.11.14.0/24 { "63.166.98.107:80,1.2.3.4:80,1.2.3.4:443" }
}
}
class fw_udp_rules_class {
{
network 10.10.14.0/24 { "4.2.2.1:53,4.2.2.2:53,4.2.2.3:53" }
network 10.11.14.0/24 { "8.8.8.8:53,4.2.2.1:53,4.2.2.2:53,4.2.2.3:53" }
}
}
You can then use the class command to do the network lookup with the -value flag to get the list of destinations that are allowed. You could then call matchclass (yes the old command) to match the against that list.
Here's an example:
when RULE_INIT {
Log debug to /var/log/ltm? 1=yes, 0=no
set static::fw_debug 1
}
when CLIENT_ACCEPTED {
if {$static::fw_debug}{log local0. "[IP::client_addr]:[TCP::client_port]: destination:\
[IP::local_addr]:[TCP::local_port]"}
Check the requested protocol (defined in /etc/protocols)
switch [IP::protocol] {
1 {
ICMP
set proto icmp
}
6 {
TCP
set proto tcp
}
17 {
UDP
set proto udp
}
default {
Unmatched protocol
if {$static::fw_debug}{log local0. "[IP::client_addr]:[TCP::client_port]: Disallowed protocol"}
Drop?
drop
Reject?
reject
Exit this event in this rule
return
}
}
if {$static::fw_debug}{log local0. "[IP::client_addr]:[TCP::client_port]: Protocol: $proto"}
If we are still in the rule the protocol matched our allowed list
Check if the corresponding datagroup exists
if {not [class exists fw_${proto}_rules_class]}{
Datagroup does not exist!
log local0. "[IP::client_addr]:[TCP::client_port]: Datagroup fw_${proto}_rules_class does not exist\
for lookup to [IP::local_addr]:[TCP::local_port]!"
Drop?
drop
Reject?
reject
}
Do the datagroup lookup against the protocol specific datagroup
which maps source networks/hosts to allowed destination host:ports
set allowed_dest_list [split [class match -value [IP::client_addr] equals fw_${proto}_rules_class] ","]
if {$allowed_dest_list ne ""}{
if {[matchclass "[IP::local_addr]:[TCP::local_port]" equals $allowed_dest_list]}{
Destination host:port is allowed
if {$static::fw_debug}{log local0. "[IP::client_addr]:[TCP::client_port]: Allowing connection"}
} else {
Destination host:port is not allowed
if {$static::fw_debug}{log local0. "[IP::client_addr]:[TCP::client_port]: Blocking connection"}
Drop?
drop
Reject?
reject
}
}
}
Aaron