Need an irule to block incoming connections if not matching a defined data group of addresses

Question

Hi&nbsp;
I am trying to create an irule to block incoming smtp connections unless the originating ip is part of the block of ip addresss i have created in a data group.  Where can i find this? Sorry - new at this.&nbsp;

dej · Answer

Hello,
Edit - just realized I had [TCP::client_addr] instead of [IP:client_addr]
I'm relatively new as well, but you may want to try the below.  If the traffic is going to port 25 and the client IP is not included in your allow list, it is set to drop the traffic.  All others will go to the default pool, if one is set.
when CLIENT_ACCEPTED {
    Check if destination port is SMTP and the client IP is not in the allow list
    if {[[TCP::local_port] equals 25] and [class match [IP::client_addr] ne DATAGROUPNAME]}{
        Drop the traffic
        drop
}
}

dej_159363 · Answer

Hello,
Edit - just realized I had [TCP::client_addr] instead of [IP:client_addr]
I'm relatively new as well, but you may want to try the below.  If the traffic is going to port 25 and the client IP is not included in your allow list, it is set to drop the traffic.  All others will go to the default pool, if one is set.
when CLIENT_ACCEPTED {
    Check if destination port is SMTP and the client IP is not in the allow list
    if {[[TCP::local_port] equals 25] and [class match [IP::client_addr] ne DATAGROUPNAME]}{
        Drop the traffic
        drop
}
}

dej · Answer

I don't know where you are applying this iRule which is why I went ahead and specified the destination port.

dej_159363 · Answer

I don't know where you are applying this iRule which is why I went ahead and specified the destination port.

cammy_178041 · Answer

Thanks, the rule is being applied to the smtp virtual server which is only port 25.  I wrote it like so:
when CLIENT_ACCEPTED {&nbsp;
if { [matchclass [IP::client_addr] equals trusted_networks] } {&nbsp;
pool smtp_pool&nbsp;
} else {&nbsp;
reject&nbsp;
}
}&nbsp;
Where trusted_networks is the data group and smtp_pool is the pool associated with the virtual server.  I applied this irule to the VS.&nbsp;

Forum Discussion

Need an irule to block incoming connections if not matching a defined data group of addresses

7 Replies

F5 Container Ingress Services (CIS) and using k8s traffic policies to send traffic directly to pods

F5 Architecture Track Sessions - AppWorld 2026

Recent Discussions

Question/Advice on iRule Remediating the Telerik (Unsafe Reflection Vulnerability (CVE-2025-3600)

Resetting to Factory Default

sslprovide (--f5 ssl) does not generate CLIENT/SERVER_TRAFFIC_SECRET on server-side TLS traffic

Issue with IIS and Client Component Service Load balancing

Syslog Filter Configuration for Separating Audit and LTM logs.

Related Content

F5 Distributed Cloud - Traffic Steering based on Client IP Address

will the F5 log incoming connections into a log file?

Site-to-Site Connectivity in F5 Distributed Cloud Network Connect – Reference Architecture

Addressing Shadow AI with F5 BIG-IP SSL Orchestrator

F5 Distributed Cloud Kubernetes Integration: Securing Services with Direct Pod Connectivity

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS