GTM iRule to allow Wideip requests from specific addresses only - like BIND's "allow-query"

Question

&nbsp;  While BIND has mechanisms like the "allow-query" statement in order to limit IPs that can query for zone data, I couldn't find a clean way to mimic this behavior for GTM wideips. There doesn't seem to be a great way to make sure a wideip will only answer for clients on internal networks, and drop requests from the outside.  
&nbsp;    
&nbsp;  While it could be done using topology records, topology doesn't seem to be the right tool for the job.  
&nbsp;    
&nbsp;  I came up with this quick and simple iRule that seems to do the job. Note that matchclass doesn't work for GTM iRules yet, so this rule could get ugly if you had a long list IP networks to allow.  
&nbsp;    
&nbsp;  This iRule allows DNS queries to be processed if they are from a non-routable RFC1918 address. Requests from other addresses are simply dropped.  
&nbsp;    
&nbsp;    
&nbsp;  when DNS_REQUEST {  
&nbsp;  if { [IP::addr [IP::client_addr]/8 equals 10.0.0.0] \  
&nbsp;    or [IP::addr [IP::client_addr]/12 equals 172.16.0.0] \  
&nbsp;    or [IP::addr [IP::client_addr]/16 equals 192.168.0.0] } {  
&nbsp;  log local2. "[IP::client_addr] is an internal address. GTM will answer."  
&nbsp;  return  
&nbsp;  } else {  
&nbsp;  log local2. "[IP::client_addr] is NOT an internal address. GTM will NOT answer."  
&nbsp;  drop  
&nbsp;  }  
&nbsp;  }  
&nbsp;    
&nbsp;    
&nbsp;  You can simply add the iRule to any wideip you want to keep as an internal-only wideip. (Remove the logging lines after you are done testing). 
&nbsp;    
&nbsp;  I wanted to post this up here in case anyone else was interested. If anyone has any suggestions, I'd love to hear them.  
&nbsp;

the_bhattman · Answer

Actually topology records would be the right place.  Basically you can configure it so that it will allow internal address to match and then everything ELSE it will simply provide a non routable address.  Much easier in my mind in a gui then writing it up in a script. 
&nbsp;  
&nbsp; CB &nbsp;

anthony_7417 · Answer

&nbsp; Yeah, you could do that, and that'd work. You could also make the destination of the topology records a pool which is set to 'drop packet' or 'return to DNS'. But since topology records are shared, if you already have a complex set of topology records configured for other wideips, it might take a lot of thought + planning to re-work the toplogy rules to include access control. And returning non-routable addresses just doesn't seem clean to me. 
&nbsp;  
&nbsp; With the iRule, you write it once, than apply it to whatever wideip you desire. The iRule also makes it very clear what's going on, where as someone looking at a set of topology records might not understand the intent. 
&nbsp;  
&nbsp; The iRule might be a little difficult to maintain since GTM doesn't have matchclass, which is a bit of a shame. When GTM gets matchclass, an iRule like this should be much more maintainable.

the_bhattman · Answer

I guess it all depends on how you built your topology.    
&nbsp;  
&nbsp; Click here if you want to post it in the samples section of devcentral. 
&nbsp;  
&nbsp; CB &nbsp;

Forum Discussion

GTM iRule to allow Wideip requests from specific addresses only - like BIND's "allow-query"

3 Replies

Recent Discussions

Chrome V 124+ on MacOS - Virtual Server Access Issue

F5 Rseries R2600 Tenant sizing

About AWAF "Redirect URLs" in "Responses and Blocks"

ISP Bandwidth Utilization

F5 Rseries HA

Related Content

Logging DNS Requests

Distributed caching of authentication requests with NGINX Ingress Controller

Decoding the IPv4 address from the persistence cookie

CSV to Address External Datagroup File

SNAT IP address logging