Packet filter and port range

Question

I need to do packet filter rules with a dynamic port range like 1024 - 65535. However, the packet filter rule does not take the TCPDUMP format of:    
&nbsp;   ( dst portrange 1024-65535 )    
&nbsp;      
&nbsp;      
&nbsp;      
&nbsp;   In the GUI for packet filter rules, the rule expression:    
&nbsp;   ( proto TCP ) and ( src net 172.xx.xx.0/24 ) and ( dst host 10.xx.xx.xx ) and ( dst portrange 1024 )    
&nbsp;      
&nbsp;   will produce error:    
&nbsp;   Packet filter rule 'ServerTestInt_DC001_dynamic': unknown host 'portrange'    
&nbsp;      
&nbsp;      
&nbsp;      
&nbsp;   The expression seems to like:    
&nbsp;   ( dst port 1024 )    
&nbsp;      
&nbsp;   But not:    
&nbsp;   ( dst portrange 1024-65535 )    
&nbsp;      
&nbsp;      
&nbsp;      
&nbsp;   Has anyone ran across this before?  How can I implement a port range packet filtering?   
&nbsp;      
&nbsp;   Thanks for your help.

hooleylist · Answer

Hi Chuck, 
&nbsp;  
&nbsp; I'm not sure why the packet filters don't support the portrange keyword.  I saw the same error on 10.0.1.  'b packet filter help' on a 10.0.1 unit shows: 
&nbsp;  
&nbsp; The BIG-IP system packet filters are based on the Berkeley Software Design Packet Filter (BPF) architecture. 
&nbsp;  
&nbsp; Maybe BPF doesn't support portrange?  If you don't find a solution for using packet filters and the traffic you want to restrict to a port range is passing through a VIP, you could use an iRule to restrict access using [TCP::local_port] &gt; 1024 &amp;&amp; [TCP::local_port] &lt; 65535. 
&nbsp;  
&nbsp; Aaron

chuck_16066 · Answer

Aaron, thanks for the info.  I'll do some more research. 
&nbsp;  
&nbsp; The iRules sounds like a good idea.  I am trying to filter traffic from a VLAN, kind of like an ACL or firewall.  So it doesn't always pass through a VIP.  Do you think iRules will still work? 
&nbsp;  
&nbsp; --chuck

hooleylist · Answer

Hi Chuck, 
&nbsp;  
&nbsp; iRules can only be applied on VIPs.  So if you had a default SNAT, a NAT, or other non-VIP object handling the traffic an iRule wouldn't allow you to restrict access. 
&nbsp;  
&nbsp; You might try opening a case with F5 Support and ask whether there is a way to specify a port range with packet filters.  If not, they should be able to open a request for enhancement. 
&nbsp;  
&nbsp; Aaron

chuck_16066 · Answer

Aaron, 
&nbsp;  
&nbsp; Thanks for the info.  I will make a feature request/enhancement with F5. 
&nbsp;  
&nbsp; --chuck

Forum Discussion

Packet filter and port range

4 Replies

Recent Discussions

SMS server with BIGIP

F5 terminal - help to run commands - disk space full

Can iRule be used to perform exception of IPI category based on Geolocation

[ASM] - what is "Browser Challange file" ?

LDAPS and renegotiation

Related Content

Decrypting BIG-IP Packet Captures without iRules

Decrypting BIG-IP Packet Captures Automatically

Assistance with iRule using port ranges

Automating Packet Captures on BIG-IP

F5 packet buffer