iRule To Control Access Based on Source and Destination Addresses
Hi Guys
I am trying to work on a iRule for a virtual server that permits traffic from a couple of devices behind the the BIG-IP (192.168.1.15 and 192.168.1.20) to a couple of FTP sites out on the internet (lets say 1.1.1.1, 2.2.2.2 and 3.3.3.3). I have a virtual server named vs_ftp_out that contains 0.0.0.0/0 as the destination and 192.168.1.0/24 as the source, and FTP as the protocol.
Could I do something like this? Its a slight adaption of the datacenter firewall iApp
data-group internal /Common/dg_allowed_ftp_sources
records {
192.168.1.15/32
192.168.1.20/32
}
type ip
data-group internal /Common/dg_allowed_ftp_destinations
records {
1.1.1.1/32
2.2.2.2/32
3.3.3.3/32
}
type ip
data-group internal /Common/ftp_acl
records {
/Common/vs_ftp_out {
data dg_allowed_ftp_sources
data dg_allowed_ftp_destinations
}
}
type string
when CLIENT ACCEPTED {
while {1} {
set ftp_acl [class match -value [virtual name] equals /Common/dg_ftp_out]
if { ! [class exists $ftp_acl] } { break }
if { ! [class match [IP::client_addr] equals $ftp_acl] } and { ! [class match [IP::remote_addr] equals $ftp_acl]
} { break
}
return
}
discard
}
Please feel free to chuckle if I have missed something glaringly obvious - I have never used F5 before and am still trying to get to grips with iRules - Doing the essentials course and reading the iRules 101 pages, which are really great btw. I am a network engineer most of the time with experience in Cisco and Juniper, so the concept and logic behind iRules is new to me.
Many Thanks
Jon
You seem to have a good grasp, however I don't think I was paying enough attention when I made my other update. I only mentioned /Common/dg_ftp_out as you had referenced it but not defined it. I don't really see that it's necessary - you could get away with what's below instead;-
when CLIENT ACCEPTED { if {!([class match [IP::client_addr] equals dg_allowed_ftp_sources] && [class match [IP::local_addr] equals dg_allowed_ftp_destinations])} { discard return } }