04-25-2007 07:17 AM
Hi there...having some difficulty understanding this...I can create a service rule as follows:
service blahblah
ip address 10.0.0.1
protocol tcp
port 17000 range 100
active
when it comes to the content rule, how do I specify the same port range for the VIP to listen on?
content blahblah
vip address 20.0.0.1
protocol tcp
add service blahblah
port ???????
active
Any advice would be appreciated
thanks in advance
Sandeep
04-25-2007 10:23 AM
Do not specify a port as far as i know there is no range on the port:
Use the no form of this command to reset the port number to its default value of 0, which means any port.
04-25-2007 11:02 AM
There is not option to configure a range of ports on content rule.
The only option is to use port "0", or "no port" so that all ports
matching this IP address are matched. You could then place an ACL on
the interface to only allow these ports to hit the content rule;
clause 10 permit any any destination content myowner/myrule range 17000 18000
04-25-2007 11:18 AM
hmmm...ok....that makes sense...the issue is that the same VIP is listening on different ports in different content rules.
eg) the servers at the backend are doing http, https, and ftp...so the current rules listen on port 80, 443, and 21 respectively. the port ranges are for the ftp data channels...and are configured to listen on 17000-17100.
eg)
service webserver1
ip address 10.0.0.1
protocol tcp
port 80
active
service webserver2
ip address 10.0.0.2
protocol tcp
port 80
active
service ftpserver1
ip address 10.0.0.1
protocol tcp
port 21
active
service ftpserver2
ip address 10.0.0.2
protocol tcp
port 21
active
service ftpserver1_data
ip address 10.0.0.1
protocol tcp
port 17000 range 100
active
service ftpserver2_data
ip address 10.0.0.2
protocol tcp
port 17000 range 100
active
content webserver
vip address 20.0.0.1
add service webserver1
add service webserver2
protocol tcp
port 80
active
content ftpserver
vip address 20.0.0.1
add service ftpserver1
add service ftpserver2
protocol tcp
port 21
application ftp-control
content ftpserver_data
vip address 20.0.0.1
add service ftpserver1_data
add service ftpserver2_data
application ftp-control
port 0
Will that work? I don't want to unnecessarily expose the server to malicious traffic. Am I crafting the ftp data channel correctly?
How would I implement an ACL to only limit ports 17000 to 17100 using the above example?
thanks again!
sandeep
04-25-2007 02:24 PM
Sandeep
If you don't define port under ftpserver_data rule then all the remaining traffic (except the ports defined in other rules eg 80,21) will hit this rule.
If you want to restrict that only traffic for certain ports should hit the ip 20.0.0.1 then you can use ACL with following clauses
clause 5 permit tcp any destination 20.0.0.1 eq http
clause 7 permit tcp any destination 20.0.0.1 eq 21
clause 10 permit tcp any destination 20.0.0.1 range 17000 17100
you will need to be careful when issuing the "acl enable" command as it will apply a default "deny all" to all circuit VLANs that are not configured with permit clauses.
CSS is not a firewall and I think we should not try to use it like one.
Syed Iftekhar Ahmed
04-26-2007 06:10 AM
that makes sense now....thanks very much...with respect to applying this ACL to VLANS, when I do the command "acl enable", it will apply this ACL to all VLAN circuits? Then do I need to create another ACL that says:
acl 10
clause 10 permit any any destination any
then apply this to all other VLAN circuits?
Do I need to only apply the http/ftp ACL to the inbound VLAN to the CSS or the backend VLAN?
Thanks again,
Sandeep
04-26-2007 10:17 AM
You need to apply the http/https/ftp acl on the client side vlan (where your Vips are)and you will need permit all on all the remaining circuits.
Syed
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide