Forum Discussion

Mike_McCardle_1's avatar
Mike_McCardle_1
Icon for Nimbostratus rankNimbostratus
Jan 03, 2007

Simple Drop rule help

I have the following iRule applied to one of the Virtual servers on my F5, and what I wanted it to do was accept traffic only on the specified ports, and all other requests to drop the packets. when I run NMAP against the IP address, it shows a large amount of ports open. The Virtual server does accept all ports, but it has the iRule applied.What am I doing wrong? Thanks.

 

 

when CLIENT_ACCEPTED {

 

if {([TCP::local_port] >= 6000 ) && ([TCP::local_port] <= 6299) ||

 

([TCP::local_port] >= 177 ) && ([TCP::local_port] <= 177) ||

 

([TCP::local_port] >= 21 ) && ([TCP::local_port] <= 21) ||

 

([TCP::local_port] >= 389 ) && ([TCP::local_port] <= 389) ||

 

([TCP::local_port] >= 48140 ) && ([TCP::local_port] <= 48144) ||

 

([TCP::local_port] >= 2148 ) && ([TCP::local_port] <= 2148) ||

 

([TCP::local_port] >= 13131 ) && ([TCP::local_port] <= 13131) ||

 

([TCP::local_port] >= 22 ) && ([TCP::local_port] <= 22) } {

 

pool SD4_Mgmnt

 

} else drop

 

}
application delivery
dev
devops
iRules

2 Replies

Sort By
  • bl0ndie_127134's avatar
    bl0ndie_127134
    Historic F5 Account
    Jan 03, 2007
    CLIENT_ACCEPTED is fired after the 3 way handshake is completed, in another words when a connection is established.
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Jan 03, 2007
    I haven't tested this, but I wonder if you could use packet filters to drop the connection before the TCP handshake is complete for destination ports you don't want the VIP to answer on.

     

     

    Click here

     

     

    Aaron