Anthony_7417
Jan 30, 2009Historic F5 Account
GTM iRule to allow Wideip requests from specific addresses only - like BIND's "allow-query"
While BIND has mechanisms like the "allow-query" statement in order to limit IPs that can query for zone data, I couldn't find a clean way to mimic this behavior for GTM wideips. There doesn't seem to be a great way to make sure a wideip will only answer for clients on internal networks, and drop requests from the outside.
While it could be done using topology records, topology doesn't seem to be the right tool for the job.
I came up with this quick and simple iRule that seems to do the job. Note that matchclass doesn't work for GTM iRules yet, so this rule could get ugly if you had a long list IP networks to allow.
This iRule allows DNS queries to be processed if they are from a non-routable RFC1918 address. Requests from other addresses are simply dropped.
when DNS_REQUEST {
if { [IP::addr [IP::client_addr]/8 equals 10.0.0.0] \
or [IP::addr [IP::client_addr]/12 equals 172.16.0.0] \
or [IP::addr [IP::client_addr]/16 equals 192.168.0.0] } {
log local2. "[IP::client_addr] is an internal address. GTM will answer."
return
} else {
log local2. "[IP::client_addr] is NOT an internal address. GTM will NOT answer."
drop
}
}
You can simply add the iRule to any wideip you want to keep as an internal-only wideip. (Remove the logging lines after you are done testing).
I wanted to post this up here in case anyone else was interested. If anyone has any suggestions, I'd love to hear them.