F5BigIpiFeedlist¶
Overview¶
CNFs IP Intelligence feature uses lists of IP addresses, known as feed lists, to either reject (blacklist) or accept (whitelist) incoming network traffic based on the source or destination IP address.
CNFs IP Intelligence can use two types of feed lists:
- Webroot BrightCloud - a subscription-based service that requires an additional F5 add-on license.
- Custom feed list - a list of source or destination IP addresses maintained on a remote server.
If BrightCloud subscription-based service is not being used, you can configure custom feed lists to allow or deny remote clients based on their source or destination IP address. Feed lists pull feed files from remote systems and are then referenced by an IP Intelligence policy.
CR parameters¶
metadata¶
| Parameter | Description |
|---|---|
| name | Specifies the name of the IpiFeedlist. |
spec.feeds¶
| Parameter | Description |
|---|---|
| feeds | Specifies the URLs and properties of the IPI feedlist file. |
| feedName | Specifies the IPI feed name. |
| url | Specifies a valid http or https URL from where IPI allowlist or denylist file can be downloaded. |
| listType | Specifies whether the feedlist file is by default. |
| defaultDenyListCategory | Specifies the denylist category that is applied to the entries in the file. This applies only to entries in the file that do not have a category specified. |
| pollInterval | Specifies how frequently the feedlist URL is polled for an updated file in minutes(m) or hours(h) or days(d). For example: 5m, 2h, 3d. |
| username | Specifies a username (if required) to download the feedlist file in order to secure passwords from CRs, that can be accessible by all users. All passwords are configured using Kubernetes Secrets, as specified in Configuring IP Intelligence Feedlist Server Credentials using Kubernetes Secrets section. |
| proxy | Specifies the name of proxy object defined in the f5-big-cne-downloader CR that is used to download the feedlist file. |
CR Example¶
The following is an example F5BigIpiFeedlist CR:
apiVersion: "k8s.f5net.com/v1"
kind: F5BigIpiFeedlist
metadata:
name: "feedlist1"
spec:
feeds:
- feedName: feed1
url: http://10.165.0.20/feed1.txt
- feedName: feed2
url: http://10.165.0.20/feed2.txt
username: testuser
proxy: internal-proxy
pollInterval: 1m
defaultDenyListCategory: spam_sources
listType: denylist
Installation¶
Apply the
F5BigIpiFeedlistCR.kubectl apply ipi-feedlist.yaml -n <namespace>
Verify the F5BigIpiPolicy is applied by checking the f5ingress logs. Following is an example output showing that the
F5BigIpiFeedlistCR is Created/added.f5bigipifeedlist.k8s.f5net.com/feedlist1 created
Configuring IP Intelligence Feedlist Server with Kubernetes Secrets¶
The predefined Secret CR is ipi-feedlist-credentials-secret. The Secret file is in <servername-username: password> format and must specify an IP address or hostname as used in feedlist CR. Password value is a base64 encoded string. Unix command base64 can also be used to encode a password.
dev@linux:~$ echo -n "passwd1" | base64
cGFzc3dkMQo=
Note: By default, the echo command adds "\n" trailing character, which is not intended in a password text. Hence, server authentication may fail when "echo -n" option is not used.
Following is an example CR to configure the password for the feedlist server 10.165.0.20 and username testuser.
apiVersion: v1
kind: Secret
metadata:
name: ipi-feedlist-credentials-secret
type: Opaque
data:
10.165.0.20-testuser: cGFzc3dkMQo=
domain.com-username: cGFzc3dkMgo=
Feedlist file format¶
Following is an example feedlist file format:
10.10.10.100,32,bl,spam_sources
20.20.20.1,24,al
20b:b02:2::,128,al
10.10.12.3,255.0.0.0,bl,botnets
1.170.10.0,24,wl
- wl or al means allowlist
- Category names are optional. When not specified, uses the
F5BigIpiFeedlistCR propertydefaultDenyListCategoryor defaults to additional category. - Netmask can be specified as CIDR notation, that is 16 or 24 or 32. It can also be an IP address subnet mask notation.
Additional CRs¶
- F5BigIpiCategorylist
- F5BigIpiPolicy
Feedback
To provide feedback and help improve this document, please email us at cnfdocs@f5.com.