Locking down the ports of a Wildcard FTPS Server
Hey guys. I recently set up a wildcard FTPS server per the following:
https://support.f5.com/kb/en-us/solutions/public/9000/300/sol9347.html1
After some playing with it, I finally got this working, and it works quite well so far. But I have a security concern. This is acting as a reverse proxy from my WAN side. Now I certainly have NAT'ing set up to only allow the appropriate ports in from the WAN, but this being a wildcard server it will respond to any request over any port. I recall reading a way to code in some logic that basically says "If port does not equal x or y-z (in this case my control port and then data port range), then deny. But I do not remember where I saw this or how to do it. Could someone please provide some guidance on this?
Thanks all!
I actually found/modified an iRule to fit my needs. If anybody in the future comes looking at this for an answer to this, here is my iRule:
when CLIENT_ACCEPTED { if {([TCP::local_port] == 21 ) || ([TCP::local_port] >= XXXXXX ) && ([TCP::local_port] <= YYYYYY) } { pool FTPS_POOL_NAME } else reject}