Content rule port ranges

yycsandman007 · ‎04-25-2007

Hi there...having some difficulty understanding this...I can create a service rule as follows:

service blahblah

ip address 10.0.0.1

protocol tcp

port 17000 range 100

active

when it comes to the content rule, how do I specify the same port range for the VIP to listen on?

content blahblah

vip address 20.0.0.1

protocol tcp

add service blahblah

port ???????

active

Any advice would be appreciated

thanks in advance

Sandeep

diro · ‎04-25-2007

Do not specify a port as far as i know there is no range on the port:

Use the no form of this command to reset the port number to its default value of 0, which means any port.

Syed Iftekhar Ahmed · ‎04-25-2007

There is not option to configure a range of ports on content rule.

The only option is to use port "0", or "no port" so that all ports

matching this IP address are matched. You could then place an ACL on

the interface to only allow these ports to hit the content rule;

clause 10 permit any any destination content myowner/myrule range 17000 18000

yycsandman007 · ‎04-25-2007

hmmm...ok....that makes sense...the issue is that the same VIP is listening on different ports in different content rules.

eg) the servers at the backend are doing http, https, and ftp...so the current rules listen on port 80, 443, and 21 respectively. the port ranges are for the ftp data channels...and are configured to listen on 17000-17100.

eg)

service webserver1

ip address 10.0.0.1

protocol tcp

port 80

active

service webserver2

ip address 10.0.0.2

protocol tcp

port 80

active

service ftpserver1

ip address 10.0.0.1

protocol tcp

port 21

active

service ftpserver2

ip address 10.0.0.2

protocol tcp

port 21

active

service ftpserver1_data

ip address 10.0.0.1

protocol tcp

port 17000 range 100

active

service ftpserver2_data

ip address 10.0.0.2

protocol tcp

port 17000 range 100

active

content webserver

vip address 20.0.0.1

add service webserver1

add service webserver2

protocol tcp

port 80

active

content ftpserver

vip address 20.0.0.1

add service ftpserver1

add service ftpserver2

protocol tcp

port 21

application ftp-control

content ftpserver_data

vip address 20.0.0.1

add service ftpserver1_data

add service ftpserver2_data

application ftp-control

port 0

Will that work? I don't want to unnecessarily expose the server to malicious traffic. Am I crafting the ftp data channel correctly?

How would I implement an ACL to only limit ports 17000 to 17100 using the above example?

thanks again!

sandeep

Syed Iftekhar Ahmed · ‎04-25-2007

Sandeep

If you don't define port under ftpserver_data rule then all the remaining traffic (except the ports defined in other rules eg 80,21) will hit this rule.

If you want to restrict that only traffic for certain ports should hit the ip 20.0.0.1 then you can use ACL with following clauses

clause 5 permit tcp any destination 20.0.0.1 eq http

clause 7 permit tcp any destination 20.0.0.1 eq 21

clause 10 permit tcp any destination 20.0.0.1 range 17000 17100

you will need to be careful when issuing the "acl enable" command as it will apply a default "deny all" to all circuit VLANs that are not configured with permit clauses.

CSS is not a firewall and I think we should not try to use it like one.

Syed Iftekhar Ahmed

yycsandman007 · ‎04-26-2007

that makes sense now....thanks very much...with respect to applying this ACL to VLANS, when I do the command "acl enable", it will apply this ACL to all VLAN circuits? Then do I need to create another ACL that says:

acl 10

clause 10 permit any any destination any

then apply this to all other VLAN circuits?

Do I need to only apply the http/ftp ACL to the inbound VLAN to the CSS or the backend VLAN?

Thanks again,

Sandeep

Syed Iftekhar Ahmed · ‎04-26-2007

You need to apply the http/https/ftp acl on the client side vlan (where your Vips are)and you will need permit all on all the remaining circuits.

Syed