Forum Discussion

Nimbostratus

Feb 08, 2011

Restrict FTP traffic on VIP to IP address or range

We're running BigIP LTM 9.4.7. I have a contractor who requires FTP access to an FTP server on our network. We have created a VIP that only allows...

Cirrostratus

Feb 08, 2011

Hi Joe,

If you want to add source IP/subnet restrictions to that iRule you could create an address type datagroup with the allowed IPs/subnets and then add a check in CLIENT_ACCEPTED to see if the client IP is in the datagroup:


when CLIENT_ACCEPTED {

    Check if client IP is not in the allowed_clients_datagroup
   if { not [matchclass [IP::client_addr] equals allowed_clients_datagroup]}{

       Disallowed client IP, send a tcp reset
      reject
   }
}

Aaron

Recent Discussions

Under Attack? F5 Will Help You.
Contacting F5 Support?

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

Forum Discussion

Restrict FTP traffic on VIP to IP address or range

Recent Discussions

F5 looses the token for the first call

iRule - Url rewrite and header replace and pool selection not working

Switch ssl profile based on weak cipher detection via IRULE

full-proxy HTTP2

Decode ObjectSID from Base64-encode string

Related Content

Office 365 Tenant Restrictions

Ciphers for restricting traffic to TLS1.2

Restrict Traffic To VIP By Subnet

Block traffic

Traffic Intelligence in AFM through Categories

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS