Forum Discussion
Kevin_Stewart
Oct 29, 2013Employee
-
300-70,000 records is generally no problem for an iRule data group, or packet filters.
-
You could assign the source IP as the address value and the customer comments as its value in the data group. You'd probably want to create packet filter rules via TMSH so that you can add a description.
-
Me too. 😉
-
This is the sticky one. An iRule would allow the handshake before closing the connection. The packet filter would not. Usually that doesn't matter unless you're worried about a denial of service, and even then other built-in protection measures could help with that.
Here's the iRule (using a standard address-based data group):
when CLIENT_ACCEPTED {
if { not ( [class match [IP::client_addr] equals my_ftp_whitelist_dg] ) } {
log local0. "Access attempt denied from [IP::client_addr]"
reject
}
}
A packet filter creation might look like this:
create / net packet-filter test-pf1 action accept order 6 rule "( src host 10.70.0.3 or src host 10.70.0.4 ) and ( dst port 21 )" description "test customer pf"