Forum Discussion
Vijay_E
Jul 15, 2016Cirrus
You can use packet-filters, AFM or iRules. For just a few IP addresses, I would say use iRule. If you are looking for something along the lines of a stateful filtering, AFM is a great solution with packet-filters falling between the 2 solutions.
Your iRule looks good. Use the log statement to make sure the right IP address is being seen by the F5. Sometimes the original IP address may be masked by a proxy of some kind.
when CLIENT_ACCEPTED {
if { not ( [class match [IP::client_addr] equals ALLOWEDIPS] ) } {
log local0. "[IP::client_addr]"
reject
}
}