irule to drop all non-allowed network from going to url

In a rush but this should help you along;

Create a Data Group (called source-ips below) with just the IP addresses 
of the hosts you’d like to accept

when CLIENT_ACCEPTED {
 if { not [class match [IP::client_addr] equals source-ips] } {
   reject }
}

Hey, thanks Steve

 

 

when HTTP_REQUEST {

 

check the Class to determine if it's not allowed

 

if {[HTTP::uri] contains "HostInfo.aspx"} {

 

if { not [class match [IP::client_addr] equals allowed_networks] } {

 

log local0. "dropped connection"

 

reject }

 

}

 

}

 

 

This seems to work just fine. I put in a bogus network into my data class and it did indeed drop it when I went to the url and there does not seem to be any loops.

 

Good stuff, glad you've worked it out. Cheers

There are fairly easy ways to bypass this type of validation though. Make sure to URI decode before checking the URI. You can try something like this:

when HTTP_REQUEST {
 decode original URI.
set tmpUri [HTTP::uri]
set uri [URI::decode $tmpUri]

 repeat decoding until the decoded version equals the previous value.
while { $uri ne $tmpUri } {
set tmpUri $uri
set uri [URI::decode $tmpUri]
}
HTTP::uri $uri

if {[string tolower $uri] contains "hostinfo.aspx"} {

 check the Class to determine if it's not allowed
if { not [class match [IP::client_addr] equals allowed_networks] } {
log local0. "dropped connection"
reject
}
}
}

https://devcentral.f5.com/internal-forums/aft/3090031324

Aaron

In addition to hoolio's recommendation, decide whether you want to use "drop" (silently drop packet) or "reject" (send a RST.) I typically use drop so as not to let a scanner know there's something I'm actively protecting but others have different opinions.