Recommendation for irule to filter specific Ports
Hi, I'm trying to apply irule for Passive port (F5 -LTM 11.0) In KB I found some irule like this when CLIENT_ACCEPTED { if {{([TCP::local_port] >= Start-port) && ([TCP::local_port] <= end-port)} } then { pool app_pool } else { reject } } but I think if I set this for any webserver (we have many pool), I have to make irule for all pool and it look not make sense (but if you think it's make senses, please inform) because I just only if user connect to IP and the connected port is in condition, just accept it to the pool that configured in Virtual Server. Anyone have any suggestion, please help...
Log source IP address
Hi We have a FTP and SFTP Server farm load-balanced by GTM and LTM appliances. since it is FTP (port 21) and SFTP (port 22), the clients/source that tries to connect to the Wide IP (gslb site) pass through the GTM and LTM (based on the load-balancing methods) ends up in any of the server nodes as designed. However, since the LTM VIP is the one that connects to the Server nodes (within the pool), these End Server Nodes see the LTM VIP IP as the source IP and has no trace of the actual connecting source IP Addresses. we did some research and it looks like the source IP can be traced/logged through the http headers for http traffic and not possible for FTP or SFTP Traffic. Can someone please suggest any option where, 1. Either the Destination Servers can retrieve and log the Source IP Addresses 2. Or atleast if the LTM can log the Source IP address with Time stamps. thank you in advance! -- Nirmal
Age old passive FTP questions
Just realized I posted this in discussions vs questions. Re-posting This has probably been beaten down enough at this point, but I can't seem to find the answer anywhere. Here is the setup: FTP server: just an ubuntu vsftpd server listening on port 21 and passive data ports set to a range 10090-10100. this is working as expected (prior to introducing F5) Virtual Server: listening on port 21 w/ default tcp profile and custom FTP profile with data port set to 0. Member is FTP server port 21. Passive FTP also works through this virtual server just fine. Here is my issue. When my FTP server responds with the passive port to use, let's say 10100, the F5 translates that port within the packet to a random ephemeral port. The client does as it's told and transfers the data over that random port, F5 handles the port translation back to port 10100 for my FTP server on the back end and everything works fine, but my problem is I need the client to connect to the actual port presented within the FTP passive response from my FTP server for firewall access-list reasons. I've tried the following: - disabled port translation on the virtual server - turned off CMP for that virtual server (found an article that referenced this possibly causing the issue) - changed the member from ip.addr:21 to ip.addr:0 (didn;t think that would do it but tried just for the hell of it) - changed the custom FTP profile to a specific data port of 10100 and set my ftp server to only use port 10100 as the passive FTP port In each case, the F5 still changes that passive port to another port when sending the response packet to the client. I have pcaps that show exactly what is happening and can reproduce every time. Anyone that has any insight into this I would be GREATLY appreciative. Thanks all -GR Reply to this Discussion 0 Rate this DiscussionPassive FTP session load balancing from the same client
I have a situation that I cannot figure out and I need some help. I have a virtual server set up for passive FTP load balancing to a pool of four members. Right now it is set up as Performance (Layer 4), TCP and a service port of 0. I have source-address-translation set to automap and a protocol profile of fastL4 with a 3600 second timeout. I have source_addr persistence with Mirror Persistence, Match across Services, and Match Across Virtual Servers all checked. There is also an iRule on there that looks like this to only accept the 50000-50020 and port 21 range. Right now there is really only one client FTPing in and doing gets over four sessions. The problem I have is I would like to see each of his sessions load balanced to a different server in the pool. Can I do this? And how would I do it? when CLIENT_ACCEPTED { if {([TCP::local_port] >= 50000 && [TCP::local_port] <= 50020) || [TCP::local_port] == 21} { } else { drop } }