Forum Discussion
- gbam_190768Cirrus
The proper solution is to use AFM otherwise yes you can use iRules though I would really look into AFM.
- Vijay_ECirrus
You can use packet-filters, AFM or iRules. For just a few IP addresses, I would say use iRule. If you are looking for something along the lines of a stateful filtering, AFM is a great solution with packet-filters falling between the 2 solutions.
Your iRule looks good. Use the log statement to make sure the right IP address is being seen by the F5. Sometimes the original IP address may be masked by a proxy of some kind.
when CLIENT_ACCEPTED { if { not ( [class match [IP::client_addr] equals ALLOWEDIPS] ) } { log local0. "[IP::client_addr]" reject } }