Forum Discussion
cammy_178041
Nimbostratus
NimbostratusNeed an irule to block incoming connections if not matching a defined data group of addresses
Hi
I am trying to create an irule to block incoming smtp connections unless the originating ip is part of the block of ip addresss i have created in a data group. Where can i find this? Sorry -...
cammy_178041Nimbostratus
NimbostratusThanks, the rule is being applied to the smtp virtual server which is only port 25. I wrote it like so: when CLIENT_ACCEPTED {
if { [matchclass [IP::client_addr] equals trusted_networks] } {
pool smtp_pool
} else {
reject
} }
Where trusted_networks is the data group and smtp_pool is the pool associated with the virtual server. I applied this irule to the VS.
DEJNimbostratus
NimbostratusLooks good. I do have a suggestion. I'm guessing you're on 10.x code , if you're using 9.x ignore the rest of this. Switch to using 'class match' instead of 'matchclass', from posts I've seen it can cause issues when you migrate to 11.x code. There are also tests posted online indicating class match has better performance. Links used for research below:
https://devcentral.f5.com/articles/comparing-irule-control-statements
https://devcentral.f5.com/wiki/irules.matchclass.ashx
