Forum Discussion

pallocca_73085's avatar
pallocca_73085
Icon for Nimbostratus rankNimbostratus
Nov 17, 2010

wildcard VS with iRule to limit TCP ports it accepts

Instead of creating five VS listening on five different ports I want to create a single "wildcard" VS accepting all ports and use an iRule to limit the ports the VS accepts.

 

 

1st. is this a good idea or is there a more efficient way of accomplishing this?

 

 

 

2nd. I am pretty new at writing iRules and am having some syntax errors on the rule I wrote (any tips??) -->

 

 

 

when CLIENT_ACCEPTED {

 

 

 

if { not([TCP::local_port] == 443) ||

 

not([TCP::local_port] == 1352) ||

 

not([TCP::local_port] == 1533) ||

 

not([TCP::local_port] == 8082) ||

 

not([TCP::local_port] == 8088)}

 

{drop}

 

}

 

 

 

 

 

 

application delivery
dev
devops
iRules

4 Replies

Sort By
  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Nov 17, 2010
    is it applicable?

     

     

    access control based on network or host

     

    http://devcentral.f5.com/wiki/default.aspx/iRules/AccessControlBasedOnNetworkOrHost.html
  • pallocca_73085's avatar
    pallocca_73085
    Icon for Nimbostratus rankNimbostratus
    Nov 17, 2010
    absolutely. i read through that article but just wanted to change the logic a bit (did not want to use data groups).

     

     

    struggling with the syntax. missing a bracket somewhere.

     

  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Nov 17, 2010
    Here you go: 

    
when CLIENT_ACCEPTED {

    Check the client's destination port to see if it's allowed
   switch [TCP::local_port] {
      443 -
      1352 -
      1533 - 
      8082 -
      8088 {
          Do nothing as the default action will be to use the VS's default pool
      }
      default {
         drop
      }
   }
}

    Aaron
  • DeVon_Jarvis's avatar
    DeVon_Jarvis
    Icon for Nimbostratus rankNimbostratus
    Nov 17, 2010
    This is a good way to go if you need a bunch of ports open. Here is a rule we use...

     

     

    when CLIENT_ACCEPTED {

     

    if { not ([TCP::local_port] == 4021 || ([TCP::local_port] >= 40000 && [TCP::local_port] <= 41000)) } {

     

    reject

     

    }

     

    }