Forum Discussion

jmanya_44531's avatar
jmanya_44531
Icon for Nimbostratus rankNimbostratus
Jun 29, 2014

Packet Filter to allow just Self IP communication

Hello friends,

 

Need to validate some configuration of packet filter.

 

Due to I have two GTMs which need to communicate each other by using 22 and 4353 ports, I must configure such Self IPs to at least "Allow Default" in the Port Lockdown. The problem here is that such Self IPs are Public IPs and so, they are exposed to the world. I cannot open port 22 due to lack of security, so I have decide to configure a Packet Filter to allow only Self IPs communication using ports 22 and 4353.

 

How about if I select "Discard" in the Unhandled Packet Action when enabling packet filter? Is it going to stop the other traffic?

 

Thanks in advance

 

Regards

 

JM

 

APM
application delivery
BIG-IP DNS
deployment
LTM
security

1 Reply

Sort By
  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Jun 29, 2014

    I have decide to configure a Packet Filter to allow only Self IPs communication using ports 22 and 4353.

    this is my testing. assuming 172.28.24.1 is trusted source ip from external vlan.

     config

root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list sys db one-line |grep packetfilter
sys db packetfilter { value "enable" }
sys db packetfilter.allow.arp { value "enable" }
sys db packetfilter.allow.important.icmp { value "enable" }
sys db packetfilter.defaultaction { value "accept" }
sys db packetfilter.defaultlog { value "disable" }
sys db packetfilter.established { value "disable" }
sys db packetfilter.sendicmperrors { value "disable" }

root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list net packet-filter-trusted
net packet-filter-trusted {
    ip-addresses { 172.28.24.1 }
}
root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list net packet-filter
net packet-filter drop_22 {
    action reject
    order 5
    rule "( ( ip proto TCP or ip6 proto TCP )  ) and ( dst port 22 )"
    vlan external
}

 ssh from 192.168.207.92

[root@ve11a:Active:In Sync] config  tcpdump -nni external:nnn -s0 port 22
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on external:nnn, link-type EN10MB (Ethernet), capture size 65535 bytes
21:31:48.869679 IP 192.168.207.92.64431 > 172.28.24.11.22: S 4099431234:4099431234(0) win 8192 (mss 1260,nop,wscale 8,nop,nop,sackOK) in slot1/tmm1 lis= flowtype=0 flowid=0 peerid=0 conflags=0 inslot=63 inport=55 haunit=0 priority=0 peerremote=00000000:00000000:00000000:00000000 peerlocal=00000000:00000000:00000000:00000000 remoteport=0 localport=0 proto=0 vlan=0
21:31:48.869709 IP 172.28.24.11.22 > 192.168.207.92.64431: R 0:0(0) ack 4099431235 win 0 out slot1/tmm1 lis= flowtype=134 flowid=57005A571700 peerid=0 conflags=20 inslot=63 inport=55 haunit=0 priority=0 rst_cause="[0x19c31f8:1129] Packet filter (reject)" peerremote=00000000:00000000:00000000:00000000 peerlocal=00000000:00000000:00000000:00000000 remoteport=0 localport=0 proto=0 vlan=0

 ssh from 172.28.24.1

[root@ve11a:Active:In Sync] config  tcpdump -nni external -s0 port 22
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on external, link-type EN10MB (Ethernet), capture size 65535 bytes
21:32:28.809053 IP 172.28.24.1.57974 > 172.28.24.11.22: S 1580176754:1580176754(0) win 5840 (mss 1460,sackOK,timestamp 2820769471 0,nop,wscale 7) in slot1/tmm0 lis=
21:32:28.811440 IP 172.28.24.11.22 > 172.28.24.1.57974: S 4205142154:4205142154(0) ack 1580176755 win 18460 (mss 1460,sackOK,timestamp 1029499504 2820769471,nop,wscale 7) out slot1/tmm0 lis=
21:32:28.813215 IP 172.28.24.1.57974 > 172.28.24.11.22: . ack 1 win 46 (nop,nop,timestamp 2820769475 1029499504) in slot1/tmm0 lis=

    How about if I select "Discard" in the Unhandled Packet Action when enabling packet filter? Is it going to stop the other traffic?

    yes including traffic to virtual server