Forum Discussion

Norris_141656's avatar
Norris_141656
Icon for Nimbostratus rankNimbostratus
Mar 10, 2014

iRule To Control Access Based on Source and Destination Addresses

Hi Guys I am trying to work on a iRule for a virtual server that permits traffic from a couple of devices behind the the BIG-IP (192.168.1.15 and 192.168.1.20) to a couple of FTP sites out on the i...
application delivery
BIG-IP Access Policy Manager (APM)
deployment
devops
iRules
LTM
security
  • IheartF5_45022's avatar
    IheartF5_45022
    Mar 11, 2014

    You seem to have a good grasp, however I don't think I was paying enough attention when I made my other update. I only mentioned /Common/dg_ftp_out as you had referenced it but not defined it. I don't really see that it's necessary - you could get away with what's below instead;-

    when CLIENT ACCEPTED {
   if {!([class match [IP::client_addr] equals dg_allowed_ftp_sources] && [class match [IP::local_addr] equals dg_allowed_ftp_destinations])} { 
      discard
      return
   }
}
IheartF5_45022's avatar
IheartF5_45022
Icon for Nacreous rankNacreous
Mar 10, 2014

I think this would achieve the same....also you will need a /Common/dg_ftp_out

when CLIENT ACCEPTED {
   set ftp_acl [class match -value [virtual name] equals /Common/dg_ftp_out]
   if {![class exists $ftp_acl] } { 
      discard
      return
   } elseif {![class match [IP::client_addr] equals $ftp_acl] } { 
      discard
      return
   }
}