Forum Discussion

sandy16's avatar
sandy16
Icon for Altostratus rankAltostratus
Oct 23, 2012

irule for VIP to deny all ports except a few

Hi, i have configured a VIP to listen on any port, BUT i want to restrict it only specific ports and denying rest all.

 

What`s the simplest way to do this?

 

4 Replies

  • There's two ways you can achieve this that I can think of;

     

     

    1) Use a packet filter (everyone seems to prefer iRules)

     

    2) Use the IP: CLIENT_ACCEPTED event and something like this (but with more ports using switch or a data group);

     

     

    when CLIENT_ACCEPTED {

     

    if { ! [TCP::local_port] == 80} {

     

    drop

     

    return

     

    }

     

    }

     

  • Thnx Steve,... what will be something equivalent of deny all, except 80, 8080?
  • This should do it;

    
    when CLIENT_ACCEPTED {
    if { (! [TCP::local_port] == 80 || ! [TCP::local_port] == 8080 ) } {
    drop
    return
    }
    }
    
  • e.g.

     if-clause
    
    [root@ve10:Active] config  b rule myrule list
    rule myrule {
       when CLIENT_ACCEPTED {
       if { !([TCP::local_port] == 80) and !([TCP::local_port] == 8080) } {
          drop
       }
    }
    }
    
     switch
    
    [root@ve10:Active] config  b rule myrule list
    rule myrule {
       when CLIENT_ACCEPTED {
       switch [TCP::local_port] {
          80 -
          8080 { }
          default {
             drop
          }
       }
    }
    }