Adding ACL to filter traffic on LTM for incoming Traffic?

Question

Hi,&nbsp;
What's the best way to use ACL on f5 to filter incoming IP's?&nbsp;
I'm using this iRule, but its not working, any other suggestions?&nbsp;
when CLIENT_ACCEPTED 
{ 
if { not ( [class match [IP::client_addr] equals ALLOWEDIPS] ) } 
{ 
reject
} 
}&nbsp;
ALLOWEDIPS is a data group list with all the IPs....&nbsp;

gbam_190768 · Answer

The proper solution is to use AFM otherwise yes you can use iRules though I would really look into AFM.  &nbsp;

vijay_e · Answer

You can use packet-filters, AFM or iRules. For just a few IP addresses, I would say use iRule. If you are looking for something along the lines of a stateful filtering, AFM is a great solution with packet-filters falling between the 2 solutions. 
Your iRule looks good. Use the log statement to make sure the right IP address is being seen by the F5. Sometimes the original IP address may be masked by a proxy of some kind. 
when CLIENT_ACCEPTED { 
if { not ( [class match [IP::client_addr] equals ALLOWEDIPS] ) } { 
log local0. "[IP::client_addr]"
reject 
} 
}

Forum Discussion

Adding ACL to filter traffic on LTM for incoming Traffic?

2 Replies

Recent Discussions

Need help on i-rule to specific uri path

Stable Firmware for F5

BigIP Next - Health Monitors / Template

LDAPS and renegotiation

Need advise to setup a policy on F5

Related Content

fellow traffic

Block traffic

Understanding Performance Metrics and Network Traffic

Traffic Intelligence in AFM through Categories

high cpu usage independent from Traffic