Forum Discussion

Desai_124243's avatar
Desai_124243
Icon for Nimbostratus rankNimbostratus
Oct 20, 2015

Only 4 TCP/UDP ports allowed in Single Virtual

Hi,

 

We allow only 4 TCP/UDP ports Single Virtual . Is below IRULE correct for it?

 

rule allowing_tcp_udp_traffic_rl { when CLIENT_ACCEPTED { Check if requested port is allowing only TCP 443, TCP 80, UDP 4500 and UDP 500 if { ( [TCP::client_port] != 443 or [TCP::client_port] != 80 or [UDP::client_port] != 500 or [TCP::client_port] != 4500 ) } { Drop request drop } }

 

}

 

Thanks

 

Gunjan Desai

 

3 Replies

  • Hi Gunjan

    Change or to and and client port to TCP::local_port and it should work (providing that you don't filter on the client source ports?).

    Adding the rule in nicer formatting in case someone else wants to chip in:

    rule allowing_tcp_udp_traffic_rl { 
        when CLIENT_ACCEPTED { 
             Check if requested port is allowing only TCP 443, TCP 80, UDP 4500 and UDP 500 
            if { ( [TCP::client_port] != 443 and [TCP::client_port] != 80 and [UDP::client_port] != 500 and [TCP::client_port] != 4500 ) } { 
                 Drop request 
                drop 
            } 
        }
    
    }
    

    /Patrik

  • Need to check the local TCP/UDP port and also logic is reversed as doing multiple 'not equal to' statements, try the following iRule:

     when CLIENT_ACCEPTED { 
          Check if requested port is allowing only TCP 443, TCP 80, UDP 4500 and UDP 500 
      if { ( [TCP::local_port] != 443 and [TCP::local_port] != 80 and [UDP::local_port] != 500 and [TCP::local_port] != 4500 ) } { 
           reject
      } 
    }
    

    Only thing not sure about is having the TCP:client_port and UDP::client_port within the same if statement would work, might need to test if the connection is a TCP or UDP connection first.