Forum Discussion

Drew's avatar
Drew
Icon for Nimbostratus rankNimbostratus
Jul 24, 2015

Is it safe to use the source address property to limit access to a VIP ?

Hi

 

I was wondering if anyone uses ONLY the Source IP address property to limit access to a VIP. I ask this as we tend to line up changes with ourselves and the firewall guys when opening a new VIP to the big bad world. I'm guessing if I set the Source to 172.16.0.0/12 then only "internal" IP addresses could access the VIP. Doing this would allow the firewall guys to do their change ahead of "launch"by allowing access, say on port 443 to the VIP address. Then the actual "launch", e.g. allowing access from the internet, could be controlled by BigIP, by changing the Source to 0.0.0.0/0 again.

 

I tried this internally and by setting my workstation IP address I could access a test site, my colleagues couldn't. They couldn't telnet to the test site but they could ping the VIP.

 

I'm asking in case anyone has tried this and come across any issues.

 

Thanks

 

Drew

 

1 Reply

  • Generally filtering by source IP address is not a good practice, but in reality a lot of people do it. You have to ask yourself what the risk is if your filter does not work, and what the real purpose of the rule is. If you are just trying to stop curious honest people from viewing the page before launch, then a source IP rule will probably work OK. If there is some greater risk involved then it might not be a good idea.

     

    Another option might be to move it to another port temporarily. Let the firewall team open 443, but since you are running on 8443, no one can get to it(8443 is not open in the firewall, and nothing is answering on 443)