Forum Discussion
david_baumgart_
Cirrus
CirrusLocking down the ports of a Wildcard FTPS Server
Hey guys. I recently set up a wildcard FTPS server per the following:
https://support.f5.com/kb/en-us/solutions/public/9000/300/sol9347.html1
After some playing with it, I finally got this working, and it works quite well so far. But I have a security concern. This is acting as a reverse proxy from my WAN side. Now I certainly have NAT'ing set up to only allow the appropriate ports in from the WAN, but this being a wildcard server it will respond to any request over any port. I recall reading a way to code in some logic that basically says "If port does not equal x or y-z (in this case my control port and then data port range), then deny. But I do not remember where I saw this or how to do it. Could someone please provide some guidance on this?
Thanks all!
I actually found/modified an iRule to fit my needs. If anybody in the future comes looking at this for an answer to this, here is my iRule:
when CLIENT_ACCEPTED { if {([TCP::local_port] == 21 ) || ([TCP::local_port] >= XXXXXX ) && ([TCP::local_port] <= YYYYYY) } { pool FTPS_POOL_NAME } else reject}
- Chase_Abbott
Employee
You may be looking for an iRule similar to this?
 
https://devcentral.f5.com/s/feed/0D51T00006i7aY1SAI
 
I would prefer to place IP/Port rules in a firewall (or AFM if in play here) as it's much more streamlined and easy to troubleshoot but you may not have this option.
 
david_baumgart_Hello and thanks for the quick answer. That MIGHT be something I can work with, however AFM is licensed for my system. I will say, however, that I have never used AFM. Could you provide some documentation or guidance on how to achieve what I am looking for here?
Thank you!
- david_baumgart_
I actually found/modified an iRule to fit my needs. If anybody in the future comes looking at this for an answer to this, here is my iRule:
when CLIENT_ACCEPTED { if {([TCP::local_port] == 21 ) || ([TCP::local_port] >= XXXXXX ) && ([TCP::local_port] <= YYYYYY) } { pool FTPS_POOL_NAME } else reject}
