Forum Discussion
I suppose the best way here depends on a few factors, particularly:
-
What you mean by "huge" - I'd use a data group to support large sets of "rules" with an iRule, but that and packet filter rules can handle fairly large sets of data.
-
What types of rules you'd need to implement - is it port/IP ranges? Static source IPs?
-
Your comfort with PF rules and/or iRules - if using a data group with an iRule, the iRule itself would probably be pretty simple and management would fall to maintaining the data group.
-
Where and how you need the traffic to be filtered - an iRule would allow a complete 3-way handshake before potentially denying a request. A packet filter would not allow the handshake at all.
You can technically add a description field to a packet filter rule with TMSH, but oddly that doesn't show up in the GUI (only the shell).