For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Willy's avatar
Willy
Icon for Nimbostratus rankNimbostratus
Sep 01, 2016

Restrict FTP access to requests on hostname.

At this moment access to our http and https sites is restricted to the hostname, this way access via IP address is no longer possible. This is done using the policies under Local Traffic / Virtual Se...
access policy
application delivery
ftp
LTM
Kai_Wilke's avatar
Kai_Wilke
Icon for MVP rankMVP
Sep 03, 2016

Hi Willy,

 

FTP in its classic form does not support HOST-headers like HTTP does.

 

But a new RFC has been developed by Microsoft and was published in March 2014, with an added HOST-command extension (see RFC7151/Cap.3).

 

Unfortunately is the support for this RFC not widely spreaded yet. So that it would strongly depend on the FTP clients and servers you're going to use.

 

Beside of the client/server support. F5 doesn't have an explicit support for any FTP command. So you have to parse the FTP control-channel with homegrown iRules to filter out connection attemps using missing or mismatching HOST-names.

 

https://tools.ietf.org/html/rfc7151

 

Cheers, Kai