How to Block Ports while using Wildcard Virtual Service

The LoadMaster can blacklist or whitelist IPs but you cannot block ports using an ACL. This article shows you how to block a port for a particular IP and port combination. If you are using a wildcard Virtual Service, which is marked with '*' symbol as the port number, it enables all ports to connect to that VIP.

1.jpgIf you want to block a specific port from accessing this Virtual Service, create a new Virtual Service using the same VIP and the port you want to block.  

By adding a real server to the Virtual Service that has the port you want to block, you mark the Virtual Service as up and healthy. If the service is marked as down, then connections go to the wildcard Virtual Service. Therefore, you should use either a ping health check or set the health check to 'None'. When health check is set to 'None', the LoadMaster assumes the Virtual Service is up and healthy. You always want the health check to pass.

port.jpg

After this is done, you can make a whitelist inside the new Virtual Service using the access control feature.

advanved_properties.jpg

acl.jpg

Insert 127.0.0.1 for a whitelist. 

5.jpgThis allows only this IP, which is the localhost IP, and blocks every other connection from any IP trying to access this virtual service on this port.

The LoadMaster drops this packet in one of two ways. Both of these are configurable at System Configuration > Network Setup > Packet Routing Filter.

prf.jpg

With the rejection method set to 'Drop', the LoadMaster will not reply.

7.jpg

With the rejection method set to 'Reject', the LoadMaster sends out an Internet Control Message Protocol (ICMP) Destination unreachable packet. 

8.jpg

Was this article helpful?

0 out of 0 found this helpful

Comments