Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

GTM / DNS Restrict source ports from GTM when LB DNS to Microsoft servers

Due to security restrictions, I need to have GTM use source ports 49152-65535 from the self-IP it uses to LB DNS traffic to the DNS servers. I've attempted to force avoidance of certain ports with irules, but it doesn't appear to be working fully. Here are the irules I've tried - I'm looking for a better solution. Is there any way to restrict GTM source port ranges?

when SERVER_CONNECTED {
       if { [class match [UDP::local_port] equals hbss-port-exception] } { 
            log local0. "HBSS EXCEPTION LOG: [IP::server_addr]:[UDP::local_port] - GTM dropping UDP" 
            UDP::drop }
}

when SERVER_CONNECTED {
       if { [class match [TCP::local_port] equals hbss-port-exception] } { 
            log local0. "HBSS EXCEPTION LOG: [IP::server_addr]:[TCP::local_port] - GTM dropping" 
            TCP::close }
}
0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

I have tested the following iRule and it seems to accomplish what you are looking for. Let me know if this works.

when RULE_INIT {

# On the line below, select which IP's are to be part of the SNAT list
set static::ip_list [list 10.1.20.254 ]
}
when CLIENT_ACCEPTED {
set random_snat_ip [lindex $static::ip_list [expr {int(rand()*[llength $static::ip_list])}]]

# On line below this one, replace "http_pool" with the correct pool name where traffic will be load balanced to
set available_pool_member [active_members -list demo_dns_pool]

set random_pool_member [lindex [lindex $available_pool_member [expr {int(rand()*[llength $available_pool_member])}]] 0]

# On line below, replace "80" with pool members listening port. Values of 50000, 49152 and 65535 represent "hint port", minimum port and maximum port, respectively.
set random_port [UDP::unused_port $random_pool_member 53 $random_snat_ip 50000 49152 65535 ]

snat $random_snat_ip $random_port
pool demo_dns_pool member $random_pool_member
}
0
Comments on this Answer
Comment made 2 weeks ago by eric.haupt 60

It doesn't appear to be randomizing the port. I'm using it in this fashion since I do not require pool member randomization or self-IP randomization. Logs show that only the hint port is used and in TCPdump and in stats monitoring for the listener I see flow stats drop to "1" while this is in place.

when LB_SELECTED {
set gtm_random_port [UDP::unused_port [IP::remote_addr] [UDP::remote_port] [IP::local_addr] 50000 49152 65535 ]
snat [IP::local_addr] $gtm_random_port
log local0. [IP::local_addr]:$gtm_random_port
}
0
Comment made 2 weeks ago by Steve Lyons

This iRule was tested on both 14.1 and 13.1.1.2 virtual appliances with a GTM only license though both GTM and LTM were provisioned.

0