Forum Discussion
Joe_Pipitone
Nimbostratus
NimbostratusRestrict FTP traffic on VIP to IP address or range
I have a contractor who requires FTP access to an FTP server on our network.
We have created a VIP that only allows traffic on port 21 to that server. We only want to allow an IP address or a range of IPs to access that specific server, and this is just a temporary access issue.
It is my understanding that we need to incorporate when CLIENT_ACCEPTED { into our iRule in order to accomplish this. I've found the following iRule, however it seems much more complex than what we're looking to do.
http://devcentral.f5.com/wiki/default.aspx/iRules/AccessControlBasedOnNetworkOrHost.html
I was thinking that something like this below would work, but this iRule seems to check the login name rather than the IP address or network that traffic would be coming into via port 21.
when CLIENT_ACCEPTED {
if { [matchclass [IP::remote_addr] equals $::aol] } {
pool aol_pool
} else {
pool all_pool
}
}
kavan_49451Hello Guys
Thanks so much for the information :)
Have a great weekend
Kavan
Shane_Terrick_9I have enacted an iRule very similiar to this and am wondering if failures log off anywhere to check.- What_Lies_Bene1
Cirrostratus
Add something like this after the reject command to create a log entry in /var/log/ltm but note that this does present a small risk in the case where someone making a large number of invalid requests could fill your logs and even your disk;log local0. "Rejected FTP connection attempt from [IP::client_addr]."