Forum Discussion
iRule To Control Access Based on Source and Destination Addresses
- Mar 11, 2014
You seem to have a good grasp, however I don't think I was paying enough attention when I made my other update. I only mentioned /Common/dg_ftp_out as you had referenced it but not defined it. I don't really see that it's necessary - you could get away with what's below instead;-
when CLIENT ACCEPTED { if {!([class match [IP::client_addr] equals dg_allowed_ftp_sources] && [class match [IP::local_addr] equals dg_allowed_ftp_destinations])} { discard return } }
Hi
Thanks for the reply - I almost get it I think...
set ftp_acl [class match -value [virtual name] equals /Common/dg_ftp_out]
This statement is creating a variable based on matching a virtual server name and an source or destination address inside of the dg_ftp_out group?
if {![class exists $ftp_acl] } ( discard return }
Then, this statement is saying that if the traffic does not match this variable, then discard it?
elseif {![class match [IP::client_addr] equals $ftp_acl] } {
Finally, this applies a filter on the client IP address (the sources IP address, so 192.168.1.15 or 192.168.1.20?), saying that if the client IP address is not listed in the ftp_acl variable then traffic is not to be permitted?
With this in mind, my df_ftp_out group needs to contain the following:
data-group internal /Common/dg_ftp_out
records {
/Common/vs_ftp_out {
data dg_allowed_ftp_sources
data dg_allowed_ftp_destinations
}
}
type string
I'll test this and see if it works, but can you just confirm if I have the logic correct?
Ideally I would like to do this for most of the traffic I have to permit outbound, so that means creating a new Virtual Server and applying the same iRule but changing the data groups and protocols involved. if I can do it like this I think I can make the BIG-IP into an effective firewall, and I'll be able to document a process for adding new rules/troubleshooting for my colleagues (and me, a few months down the line) to reference.
Many Thanks
Jon
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com