Forum Discussion

Norris_141656's avatar
Norris_141656
Icon for Nimbostratus rankNimbostratus
Mar 10, 2014

iRule To Control Access Based on Source and Destination Addresses

Hi Guys I am trying to work on a iRule for a virtual server that permits traffic from a couple of devices behind the the BIG-IP (192.168.1.15 and 192.168.1.20) to a couple of FTP sites out on the i...
application delivery
BIG-IP Access Policy Manager (APM)
deployment
devops
iRules
LTM
security
  • IheartF5_45022's avatar
    IheartF5_45022
    Mar 11, 2014

    You seem to have a good grasp, however I don't think I was paying enough attention when I made my other update. I only mentioned /Common/dg_ftp_out as you had referenced it but not defined it. I don't really see that it's necessary - you could get away with what's below instead;-

    when CLIENT ACCEPTED {
   if {!([class match [IP::client_addr] equals dg_allowed_ftp_sources] && [class match [IP::local_addr] equals dg_allowed_ftp_destinations])} { 
      discard
      return
   }
}
Norris_141656's avatar
Norris_141656
Icon for Nimbostratus rankNimbostratus
Mar 13, 2014

This does the trick, thanks heaps! Unfortunately, performance kind of sucks at the moment - I have applied the same rule to a HTTP virtual server but it takes 2mins+ to load the webpages. Then, when I remove the iRule, it is fast again.

 

Dont worry about that though, ill get try and get to the bottom of it. Thanks again for your help!