Forum Discussion

Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee

The most secure method is probably an IP filter rule. The unauthorized IPs wouldn't even complete a TCP handshake. You can alternately do this with an iRule and optionally a data group. Create an address-based data group (ex. my_ip_dg) and add the allowed IPs/subnets.

iRule:

when CLIENT_ACCEPTED {
    if { not ( [class match [IP::client_addr] equals my_ip_dg] ) } {
        reject
    }
}

Keep in mind though that the iRule implementation will allow a full 3-way TCP handshake before rejecting the client.

seamlessfirework's avatar
seamlessfirework
Icon for Cirrus rankCirrus
Sep 11, 2023

Works for me, thanks a lot! Got a little improvement - VS Code said that. Put double dash after class match, like this

when CLIENT_ACCEPTED priority 60 {
    if { not ( [class match -- [IP::client_addr] equals [DataGroupName]] ) } {
        reject
    }
}