For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

tskeel_217567's avatar
tskeel_217567
Icon for Nimbostratus rankNimbostratus
Feb 23, 2016

irule to restrict ftp and sftp destination

I need an irule to limit sftp and ftp destination ideally by hostname. If hostname is not possible I think IP would be ok.

This was my first attempt:

when CLIENT_ACCEPTED {
  if { !([matchclass [IP::local_addr] equals FTPWhitelist]) }{
    reject
      } 
}

I have one ip in FTPWhitelist but traffic to other sites is allowed.

Thanks

iRules
security

2 Replies

  • Josiah_39459's avatar
    Josiah_39459
    Historic F5 Account
    Feb 23, 2016
    I'm very confused. Where are you attaching the irule? To a forwarding vip? Or a vip with a single ip? Does the vip proxy multiple hostnames? Hostname won't be possible unless you do a sideband reverse DNS lookup, because the hostname is resolved by the client and only the ip comes to the BIGIP. Otherwise you can do it the way you are trying, or use packet filters, etc...
  • tskeel_217567's avatar
    tskeel_217567
    Icon for Nimbostratus rankNimbostratus
    Feb 23, 2016
    This is for a forward proxy virtual server. I attached the irule to virtual server with type "standard", I restricted the port and source destinations.