For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Eddy_161863's avatar
Eddy_161863
Icon for Nimbostratus rankNimbostratus
Jul 15, 2016

Adding ACL to filter traffic on LTM for incoming Traffic?

Hi,

 

What's the best way to use ACL on f5 to filter incoming IP's?

 

I'm using this iRule, but its not working, any other suggestions?

 

when CLIENT_ACCEPTED { if { not ( [class match [IP::client_addr] equals ALLOWEDIPS] ) } { reject } }

 

ALLOWEDIPS is a data group list with all the IPs....

 

application delivery
LTM

2 Replies

  • gbam_190768's avatar
    gbam_190768
    Icon for Cirrus rankCirrus
    Jul 15, 2016

    The proper solution is to use AFM otherwise yes you can use iRules though I would really look into AFM.

     

  • Vijay_E's avatar
    Vijay_E
    Icon for Cirrus rankCirrus
    Jul 15, 2016

    You can use packet-filters, AFM or iRules. For just a few IP addresses, I would say use iRule. If you are looking for something along the lines of a stateful filtering, AFM is a great solution with packet-filters falling between the 2 solutions.

    Your iRule looks good. Use the log statement to make sure the right IP address is being seen by the F5. Sometimes the original IP address may be masked by a proxy of some kind. 

    when CLIENT_ACCEPTED { 
if { not ( [class match [IP::client_addr] equals ALLOWEDIPS] ) } { 
log local0. "[IP::client_addr]"
reject 
} 
}