Vishal_96707
Nimbostratus
NimbostratusBlock ICMP for Virtual Server
How do I block ICMP request to a Virtual Server?
Thanks in advance.
Forum Discussion
7 Replies
hooleylistCirrostratus
If you want to block ICMP for a virtual server address, you can define a packet filter which drops protocol ICMP for the VIP address:
Action: discard
Expression: ( proto ICMP ) and ( dst host 10.42.2.100 )
Aaron- The_BhattmanHere is an untested iRule way
when CLIENT_ACCEPTED { if { [IP::protocol] == 1 } { reject } }
There is also another way which I have done on Linux only, but it applies to all addresses
As superuser, add the following lines to /etc/sysctl.conf:
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_echo_ignore_all = 1
Then run the following command to cause it take effect immediately
sysctl -p
This change will persist through a reboot. But would need to be reset after an upgrade.
Hope this helps
CB 
Vishal_96707Is it safe to use packet filer? Will it have any adverse impact on the performance of the box?- The_Bhattman
Perhaps you need to log it to the ltm log file. If you apply this it may provide you with the information you need to block it.when CLIENT_ACCEPTED { log local0. "The IP Protocol is [IP::protocol]" if { [IP::protocol] == 1 } { reject } }
CB - Does "bigpipe virtual address arp disable" at the CLI suite your needs?
dennypayneEmployee
Aaron's solution of using packet filters is the only one that will work here. A virtual server consists of IP address AND port, which is what iRules run on. ICMP is to the virtual *address*. Different things. And since you can have multiple virtual servers on one IP address, there's no way to affect something done on a virtual address with an iRule that runs on a virtual server.
Denny- hooleylistDisabling ARP would also break all communication with any virtual server on the virtual address (unless the upstream network device had hardcoded arp entries, in which case the setting wouldn't matter).
As for performance of packet filters, we have several large enterprise customers who routinely use them without issue. It's still a good idea to have a firewall between LTM and any insecure network.
Aaron
