NimbostratusHello,
I wanted to know if it is possible to only ALLOW connections on PORT 22 using the Quova Database IP Repository to only ALLOW BY CERTAIN STATES in the US, I do not want to allow the entire US, I want to BLOCK every Country, and allow 3 (three) U.S. States to have access to PORT 22, is this possible to get this granular?
MVPit depends with what you mean with block port 22. port 22 as in the port on which the BIG-IP listen for management? if so, no then i don't believe you can apply iRules on that.
if you mean block port 22 on a virtual server then it could be possible. from what i found the Quova (currently Neustar) should be able to provide state information. so you could write something simple that only the strings from whereis (see below) for the states you want to allow go through and other connections are closed.
see: https://devcentral.f5.com/wiki/iRules.whereis.ashx
NimbostratusYes, that is what I meant...
I currently have my iRule to block every country for my VIP and ALLOW US I would like to change my iRule to instead of ALLOW US to only ALLOW CA (for California), WA (Washington), and NY (New York) and then BLOCK EVERY OTHER State in the US....
Do you know how effective the Neustar IP Repository really is in blocking via IP addresses?
I had an issue with a FLORIDA IP... it was being tagged as SWEDEN... so as soon as I allowed SWEDEN to get through on Port 80, then the FLORIDA ISP IP's started getting through on Port 80... it seems that there are numerous Quova (Neustar) issues with incorrect country tagging from what I have experienced first hand...
Have you seen the same?
MVPsorry can't help you there. but in general i think this is an issue with any ip database, there will be errors and those errors can cause issue for you. be sure to update the database on the big-ip regulary.
you could start with logging the locations and checking if you see entries you don't expect. but im afraid that a solution like this will always require some exceptions.
perhaps that is the best way to go; next to your location checking add a subnet whitelist to quickly add wrongly classified networks.
EmployeeI had an issue with a FLORIDA IP... it was being tagged as SWEDEN... so as soon as I allowed SWEDEN to get through on Port 80, then the FLORIDA ISP IP's started getting through on Port 80... it seems that there are numerous Quova (Neustar) issues with incorrect country tagging from what I have experienced first hand...
you have updated the database, haven't you?
sol11176: Downloading and installing updates to the IP geolocation database
http://support.f5.com/kb/en-us/solutions/public/11000/100/sol11176.html