For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Petak_333163's avatar
Petak_333163
Icon for Nimbostratus rankNimbostratus
Mar 14, 2018

Ftp Active and Passive

Hi all,   I have an F5 LB working for passive FTP connections. This was configured with a VIP tcp profile and some Irules. Now i need to have both Ftp modes working ( active and passive ). So, i'...
cloud
iRules
LTM
Acniv_304645's avatar
Acniv_304645
Icon for Nimbostratus rankNimbostratus
Apr 08, 2018

If you have another IP to use for SNAT, you could setup an incoming VIP using a SNAT and an outgoing VIP using the incoming SNAT address using the incoming VIP as its SNAT. Both VIPs would be setup as listening on ANY since you won’t know what port the passive client will use for the data connection and you won’t know which port the server will send to on the active connection. Basically you would be forwarding all ports hitting your incoming VIP to the ftp pool, the trick is listening for the new session the server creates in active ftp, which the outbound vip would forward all ports hitting the outbound vip SnAT’d back to the incoming VIP address. Not pretty but it should work. If your handy with irules, you may be able to snoop the TCP stream and lock the traffic down by client address, server address or both and drop all others as an added layer of security.

 

My .02 cents anyway...