Forum Discussion

Joe_Pipitone's avatar
Joe_Pipitone
Icon for Nimbostratus rankNimbostratus
Feb 08, 2011

Restrict FTP traffic on VIP to IP address or range

We're running BigIP LTM 9.4.7.

 

I have a contractor who requires FTP access to an FTP server on our network.

 

We have created a VIP that only allows traffic on port 21 to that server. We only want to allow an IP address or a range of IPs to access that specific server, and this is just a temporary access issue.

 

It is my understanding that we need to incorporate when CLIENT_ACCEPTED { into our iRule in order to accomplish this. I've found the following iRule, however it seems much more complex than what we're looking to do.

 

http://devcentral.f5.com/wiki/default.aspx/iRules/AccessControlBasedOnNetworkOrHost.html

 

I was thinking that something like this below would work, but this iRule seems to check the login name rather than the IP address or network that traffic would be coming into via port 21.

 

 

 

 

 



when CLIENT_ACCEPTED {

 

if { [matchclass [IP::remote_addr] equals $::aol] } {

 

pool aol_pool

 

} else {

 

pool all_pool

 

}

 

}

 

 

 

  • Hello Guys

     

     

    Thanks so much for the information :)

     

     

    Have a great weekend

     

     

    Kavan
  • I have enacted an iRule very similiar to this and am wondering if failures log off anywhere to check.
  • Add something like this after the reject command to create a log entry in /var/log/ltm but note that this does present a small risk in the case where someone making a large number of invalid requests could fill your logs and even your disk;

    
    log local0. "Rejected FTP connection attempt from [IP::client_addr]."