iRule To Control Access Based on Source and Destination Addresses

Hi

Thanks for the reply - I almost get it I think...

set ftp_acl [class match -value [virtual name] equals /Common/dg_ftp_out]

This statement is creating a variable based on matching a virtual server name and an source or destination address inside of the dg_ftp_out group?

if {![class exists $ftp_acl] } ( discard return }

Then, this statement is saying that if the traffic does not match this variable, then discard it?

elseif {![class match [IP::client_addr] equals $ftp_acl] } {

Finally, this applies a filter on the client IP address (the sources IP address, so 192.168.1.15 or 192.168.1.20?), saying that if the client IP address is not listed in the ftp_acl variable then traffic is not to be permitted?

With this in mind, my df_ftp_out group needs to contain the following:

data-group internal /Common/dg_ftp_out
  records {
    /Common/vs_ftp_out {
       data dg_allowed_ftp_sources
       data dg_allowed_ftp_destinations
       }
    }
  type string

I'll test this and see if it works, but can you just confirm if I have the logic correct?

Ideally I would like to do this for most of the traffic I have to permit outbound, so that means creating a new Virtual Server and applying the same iRule but changing the data groups and protocols involved. if I can do it like this I think I can make the BIG-IP into an effective firewall, and I'll be able to document a process for adding new rules/troubleshooting for my colleagues (and me, a few months down the line) to reference.

Many Thanks

Jon