FTP_ Proxy_LITE

Problem this snippet solves:

Summary: Simple FTP Proxy iRule to emaulate FTP proxy functionality found in Bluecoat and/or Ironport Proxies. Contributed by: Bhattman @ gmail dot com

How to use this snippet:

How it works

FTP client (CuteFTP/WS_FTP, etc) is configured to explicitly point to a FTP Proxy VIP containing the iRule below on port 21 and utilize the authentication type USER@. The iRule strips takes uses to direct FTP traffic to site and thus allows FTP connectivity.

Special Considerations

If the ftp site is remote from the F5 ADC then consider Autosnat either in the iRule OR configured at the VIP level.

Limitations

Written to work in v9.3.0. Does not perform hostname lookups - must use ip address for connect to remote ftp server. Since the Remote FTP server is connected on demand, it doesn't perform any healthchecks. v10 is located here http://devcentral.f5.com/wiki/default.aspx/iRules/FTP_Proxy_v10.html

Additional Notes

Feel free to make improvements such as adding the ability to use hostnames, which will involve lookups. This might also require https://support.f5.com/kb/en-us/solutions/public/8000/400/sol8437.html to make the hostname resolution to work.

Code :

when CLIENT_ACCEPTED {
    TCP::respond "220 Welcome to the F5 FTP Proxy\r\n"
    log local0. "client accepted"
    TCP::collect
}

when CLIENT_DATA {
    set ftplogin [TCP::payload]
    if { $ftplogin starts_with "USER" } {
        set cuser [TCP::payload]
scan $cuser {%[^@]@%s} garbage remote_ftp_site_addr
scan $garbage %s%s cmd uid
        TCP::payload replace 0 [string length $cuser ] "USER $uid\r\n"
node $remote_ftp_site_addr [TCP::local_port]
    }
    TCP::release
}
Published Mar 17, 2015
Version 1.0

Was this article helpful?

No CommentsBe the first to comment