For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Willy's avatar
Willy
Icon for Nimbostratus rankNimbostratus
Sep 01, 2016

Restrict FTP access to requests on hostname.

At this moment access to our http and https sites is restricted to the hostname, this way access via IP address is no longer possible. This is done using the policies under Local Traffic / Virtual Servers. The intention is to restrict access to the FTP servers in the same way. I would like to create something in the style like the HTTP policy rule

 

"http-host host equals www.site.com forward select pool /Common/www-site-com-http"

 

This rule was generated after the upgrade where HTTP-Class was replaced by policies.

 

Anyone a suggestion ?

 

access policy
application delivery
ftp
LTM

1 Reply

  • Kai_Wilke's avatar
    Kai_Wilke
    Icon for MVP rankMVP
    Sep 03, 2016

    Hi Willy,

     

    FTP in its classic form does not support HOST-headers like HTTP does.

     

    But a new RFC has been developed by Microsoft and was published in March 2014, with an added HOST-command extension (see RFC7151/Cap.3).

     

    Unfortunately is the support for this RFC not widely spreaded yet. So that it would strongly depend on the FTP clients and servers you're going to use.

     

    Beside of the client/server support. F5 doesn't have an explicit support for any FTP command. So you have to parse the FTP control-channel with homegrown iRules to filter out connection attemps using missing or mismatching HOST-names.

     

    https://tools.ietf.org/html/rfc7151

     

    Cheers, Kai