Forum Discussion
NimbostratusiRule for FTP traffic
Hi all..
Im looking to create the following iRule:
scans for traffic on port 21 (FTP) from source = proxy servers (10.1.1.1 & 10.1.1.2)
and destination: 212.10.10.10 and 212.11.11.11
Load balance to 1.1.1.1
else LB to default pool
Can someone give me an idea of what this iRule might look like?
Much appreciated.. :)
6 Replies
- Kevin_Stewart
Employee
Give this a shot:
when CLIENT_ACCEPTED { if { ( ( [IP::addr [IP::client_addr] equals 10.1.1.1] ) or ( [IP::addr [IP::client_addr] equals 10.1.1.2] ) ) and ( ( [IP::addr [IP::local_addr] equals 212.10.10.10] ) or ( [IP::addr [IP::local_addr] equals 212.11.11.11] ) ) } { pool proxy_pool } else { pool default_pool } } 
superd_88943Thanks a million kevin.. how would this look if i wanted to tie it down to TCP port 21 only?
:)
- superd_88943
Given the nature of FTP, i am using passive i.e. client makes both connections, could it potentially become a problem, if listening on port 21 only?
- superd_88943
Iv tried implementing the the following iRule but getting some parse errors. Any idea on where the syntax is wrong?
when CLIENT_ACCEPTED { if { [[IP::client_addr] equals "10.10.10.10"]] and [[TCP::remote_port] equals "21"] } { node 10.9.9.9 log local0. "FTP connection" } else { pool side-http } }Another iRule im testing is for all FTP traffic, but for some reason i dont see it triggering
when CLIENT_ACCEPTED { if {[TCP::remote_port] != 21} { node 10.9.9.9 log local0. "FTP connection" } else { pool side-http } }Any feedback on either much appreciated!
- Kevin_Stewart
Just a thought, but your FTP VIP should have:
-
An FTP profile defined - this I believe helps with the ephemeral port management, and
-
Port 21 defined as the destination VIP
You shouldn't have to filter on the destination port in the iRule if it's defined in the VIP itself, and you'll find this much more challenging to do manually given the dual-port nature of the protocol.
-
- superd_88943
Thanks kevin.. ill check this out :)
