Hello All, Sanity check...I'm trying to block access to specific pages based off the source network the client is coming from. The rest of the site should remain available to anyone. I *think* I've got the irule down, but am not 100% sure and would appreciate some more knowledgeable input. Pages to block: http://our.domain.com/templates/Test.jsp http://our.domain.com/templates/Stats.jsp Data Group "internal-ips" 1.1.1.0/24 2.2.2.0/24 3.3.3.0/24 when HTTP_REQUEST { if { ([HTTP::uri] contains "Test.jsp") or ([HTTP::uri] contains "Stats.jsp") and not ([matchclass [IP::client_addr] equals [$::internal-ips]]) } { discard } } TIA, DarkSide

That will technically work. However, even with java-based platforms there are methods an attacker can use to obfuscate their request. We discussed this in a recent post: Irule for restriciting URL paths unsecure http://devcentral.f5.com/Default.aspx?tabid=53&forumid=5&tpage=1&view=topic&postid=30900 Aaron

Hi Darkside, I think your logic looks sound. I would put a open and close parentheses around the URI conditional evaluations so they are evaluated together before the matchclass evaluation. I would also lose the square brackets around $::inernal-ips and lowercase the URI Like so when HTTP_REQUEST { if { !([matchclass [IP::client_addr] equals $::internal-ips]) and ((string tolower [[HTTP::uri]] contains "test.jsp") or (string tolower[HTTP::uri]] contains "stats.jsp")) } { discard } } Another way to right this is the following: when HTTP_REQUEST { if { !([matchclass [IP::client_addr] equals $::internal-ips]) } { switch -glob [string tolower [HTTP::uri]] { "*test.jsp" - "*stats.jsp" { discard } } } } I wrote it the way above because I thought the first thing you want to evaluate is the Datagroup. if nothing matches then don't evaluate any further. In theory, it would make evaluations much faster then having to evaluate 3 conditions expressions in an IF clause. I hope this helps CB

Aaron - good post, not sure how i missed that in my earlier search. I didn't even think about obfuscation as I don't think the page is all that "secret", so a basic discard should suffice, but I'll have to ask. CB - In your examples, (I'm probably misinterpreting them) it looks like the logic would discard if the client IP matches the data group, is that right?

Also, if you use a hyphen in a class name, you need to reference it using curly braces ${::class-name}. It's easier to just use underscores. Aaron

The idea behind obfuscation is that an attacker could request /test.jsp as /%74%65%73%74.jsp using URL encoding, possibly use unicode as / \ x 74 \ x 65 \ x 73 \ x 74.jsp (without the spaces) and/or other encoding methods and the web server would potentially parse them all as /test.jsp even though the iRule doesn't. Aaron

Restrict access based off source network

19 Replies

DarkSideOfTheQ_
Nimbostratus
Sep 17, 2009
I removed the braces around the datagroup as CB suggested and it still didn't work. Added in the extra logging as you suggested, which was helpful as it appears to be ignoring the datagroup alltogether.

Sep 17 07:27:12 tmm tmm[959]: Rule secure_test : : Request to /templates/Test.jsp

Sep 17 07:27:12 tmm tmm[959]: Rule secure_test : : Discarding request to /templates/Test.jsp

Thoughts?

-DarkSide
hooleylist
Cirrostratus
Sep 17, 2009
Can you list the contents of the class (using 'b class ips_internal list all') and your client IP address. If you want to anonymise the IP's, just change the first two or three octets.

Here is an example of the default private_net datagroup on a 9.4.8 unit:

b class private_net list all class private_net { type ip filename none mode rw partition Common network 10.0.0.0/8 network 172.16.0.0/12 network 192.168.0.0/16 none none } Thanks, Aaron
DarkSideOfTheQ_
Nimbostratus
Sep 17, 2009
Here it is. (changed first two octets)

class ips_internal {

network 1.1.0.0 mask 255.255.240.0

network 2.2.0.0 mask 255.255.252.0

}

client ip: 1.1.1.100

btw - this is 9.2.4 if that matters.
hooleylist
Cirrostratus
Sep 17, 2009
Is it an address type datagroup? That looks like a string datagroup. matchclass using IP addresses won't work with anything but an address type class.

Aaron
DarkSideOfTheQ_
Nimbostratus
Sep 17, 2009
In the GUI it says it's an address type.

hooleylist

Cirrostratus

Sep 17, 2009

It's odd it's not working then... can you try this?

 
  when HTTP_REQUEST {  
  
     log local0. "[IP::client_addr]:[TCP::local_port]: Request to [HTTP::uri] with dg: $::ips_internal"  
  
     if { [HTTP::uri] contains "Test.jsp" or [HTTP::uri] contains "Stats.jsp" }{ 
  
        log local0. "[IP::client_addr]:[TCP::local_port]: Matched URI check"  
      
        if {not [matchclass [IP::client_addr] equals $::ips_internal]} { 
  
           log local0. "[IP::client_addr]:[TCP::local_port]: Matched IP check. Discarding request to [HTTP::uri]"  
           discard  
        } 
     }  
  }

Aaron

DarkSideOfTheQ_
Nimbostratus
Sep 17, 2009
Well, as you suggested earlier, breaking out the matchclass to it's own if line worked.

Sep 17 10:04:09 tmm tmm[959]: Rule secure_test : 99.99.220.62:80: Request to /templates/Test.jsp with dg: {1.1.0.0/20} {2.2.0.0/22}

Sep 17 10:04:09 tmm tmm[959]: Rule secure_test : 99.99.220.62:80: Matched URI check

Sep 17 10:04:09 tmm tmm[959]: Rule secure_test : 99.99.220.62:80: Matched IP check. Discarding request to /templates/Test.jsp

The first log line, should that log client info for ONLY members of the datagroup? It's logging client info for any request made and even mentions the dg parameter, so I'm a bit confused on that.

Sep 17 10:03:47 tmm tmm[959]: Rule secure_test : 2.60.0.104:80: Request to /resources with dg: {1.1.0.0/20} {2.2.0.0/22}

*2.60.x.x is a vpn range in the 2.2.0.0 office (i changed first two octets)

DarkSideOfTheQ_

Nimbostratus

Sep 17, 2009

Now I've gone and broke things....

This works:

  
 when HTTP_REQUEST {   
  
      if { [HTTP::uri] contains "Test.jsp" or [HTTP::uri] contains "Stats.jsp" }{  
  
            if {not [matchclass [IP::client_addr] equals $::ips_internal]} {  
  
            log local0. "[IP::client_addr]:[TCP::local_port]: Matched IP check. Discarding request to [HTTP::uri]" 
            discard 
         }  
      }   
 }

In anticipation of them adding more pages they want secured, I tried the '-glob' mechanism, but the GUI tells me "line 5: [missing an expression] [ ]" but not sure what's missing???

  
 when HTTP_REQUEST {    
 switch -glob [HTTP::uri] {   
 "Test.jsp" -  
 "Stats.jsp"  
 if {not [matchclass [IP::client_addr] equals $::ips_internal]} {   
 log local0. "[IP::client_addr]:[TCP::local_port]: Matched IP check. Discarding request to [HTTP::uri]"  
 discard  
 }   
 }    
 }

Help is appreciated, my irule kung-fu isn't so strong. 🙂

-DarkSide

hooleylist

Cirrostratus

Sep 17, 2009

This line was just for debugging of all requests:

     log local0. "[IP::client_addr]:[TCP::local_port]: Request to [HTTP::uri] with dg: $::ips_internal"

If you want to use a switch statement you can use something like this:

 
 when HTTP_REQUEST { 
    switch -glob [HTTP::uri] { 
       "*Test.jsp*" - 
       "*Stats.jsp*" { 
          if {not [matchclass [IP::client_addr] equals $::ips_internal]} { 
             log local0. "[IP::client_addr]:[TCP::local_port]: Matched IP check. Discarding request to [HTTP::uri]" 
             discard 
          } 
       } 
    } 
 }

Note the use of the asterisks for wildcard (glob) matching.

Aaron

Forum Discussion

Restrict access based off source network

19 Replies

Recent Discussions

BIG-IP DNS: Check Status Of Multiple Monitors Against Pool Member

Open Redirection Mitigation

F5Access | MacOS Sonoma

enable tls1.2 on management interface on F5 ltm running version 10.x

[ASM] - what is "Browser Challenge file" ?

Related Content

Irule for restricting access

Restricting Access to Virtual from client IP address in X-Forwarder-For HTTP header

Office 365 Tenant Restrictions

What is Multi-Cloud Networking?

SSL Orchestrator Advanced Use Cases: Enabling GCloud Organization Restrictions