irule to restrict ftp and sftp destination

Question

I need an irule to limit sftp and ftp destination ideally by hostname.  If hostname is not possible I think IP would be ok. 
This was my first attempt:
when CLIENT_ACCEPTED {
  if { !([matchclass [IP::local_addr] equals FTPWhitelist]) }{
    reject
      } 
}

I have one ip in FTPWhitelist but traffic to other sites is allowed.  
Thanks

josiah_39459 · Answer

I'm very confused.  Where are you attaching the irule?  To a forwarding vip?  Or a vip with a single ip?  Does the vip proxy multiple hostnames?

Hostname won't be possible unless you do a sideband reverse DNS lookup, because the hostname is resolved by the client and only the ip comes to the BIGIP.  Otherwise you can do it the way you are trying, or use packet filters, etc...

tskeel_217567 · Answer

This is for a forward proxy virtual server.  I attached the irule to virtual server with type "standard", I restricted the port and source destinations.

Forum Discussion

irule to restrict ftp and sftp destination

2 Replies

Recent Discussions

vulnerabilities-CVE-2020-16150 & CVE-2013-0169

google autenticator broken barcode

Error while running ansible

ASM instance creation

[ASM] - what is "Browser Challange file" ?

Related Content

DESTINATION HOST UNREACHABLE

SNAT based on source and destination

Restrict Traffic To VIP By Subnet

iRule - Restricting IP addresses for a portion of URI

Restrict access to virtual server during specified time