For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

KhalidSG_295331's avatar
KhalidSG_295331
Icon for Nimbostratus rankNimbostratus
Nov 27, 2017

iRule accept connection from specific IP

HI I have F5 LTM and i use it for exchange server only and i create a rule to restrict access to sub url the rule will accept connection from specific IP address and other ip address the connection...
application delivery
iRules
LTM
Kevin_Davies's avatar
Kevin_Davies
Icon for Nacreous rankNacreous
Nov 27, 2017

Generally with iRules we want to target the most generic item first. Most of your clients will not be from that specific IP address. So to prevent your iRule from running unnecessary code for each request you should target that address first.

 

Because we can check the address at connection time this means we can decide whether to even run the HTTP code with event disable. This means we only perform the IP check once per connection instead of every single HTTP request in the original iRule. Then we run the HTTP code only if the address matches.

 

when CLIENT_ACCEPTED {
  if {[IP::client_addr] ne "192.168.7.106"} { event HTTP_REQUEST disable }
} 

when HTTP_REQUEST {
     now this only runs if the IP address matched above
    switch -glob [string tolower [HTTP::uri]] {
        "/microsoft-server-activesync*" {
            drop
        }        
    }
}

See the event disable command https://devcentral.f5.com/wiki/iRules.event.ashx

 

This iRule checks for the IP address. If it does not match it disables the HTTP_REQUEST event. This means the subsequent code inside that event will never run.