I have decide to configure a Packet Filter to allow only Self IPs communication using ports 22 and 4353.
this is my testing. assuming 172.28.24.1 is trusted source ip from external vlan.
config
root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list sys db one-line |grep packetfilter
sys db packetfilter { value "enable" }
sys db packetfilter.allow.arp { value "enable" }
sys db packetfilter.allow.important.icmp { value "enable" }
sys db packetfilter.defaultaction { value "accept" }
sys db packetfilter.defaultlog { value "disable" }
sys db packetfilter.established { value "disable" }
sys db packetfilter.sendicmperrors { value "disable" }
root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list net packet-filter-trusted
net packet-filter-trusted {
ip-addresses { 172.28.24.1 }
}
root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list net packet-filter
net packet-filter drop_22 {
action reject
order 5
rule "( ( ip proto TCP or ip6 proto TCP ) ) and ( dst port 22 )"
vlan external
}
ssh from 192.168.207.92
[root@ve11a:Active:In Sync] config tcpdump -nni external:nnn -s0 port 22
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on external:nnn, link-type EN10MB (Ethernet), capture size 65535 bytes
21:31:48.869679 IP 192.168.207.92.64431 > 172.28.24.11.22: S 4099431234:4099431234(0) win 8192 (mss 1260,nop,wscale 8,nop,nop,sackOK) in slot1/tmm1 lis= flowtype=0 flowid=0 peerid=0 conflags=0 inslot=63 inport=55 haunit=0 priority=0 peerremote=00000000:00000000:00000000:00000000 peerlocal=00000000:00000000:00000000:00000000 remoteport=0 localport=0 proto=0 vlan=0
21:31:48.869709 IP 172.28.24.11.22 > 192.168.207.92.64431: R 0:0(0) ack 4099431235 win 0 out slot1/tmm1 lis= flowtype=134 flowid=57005A571700 peerid=0 conflags=20 inslot=63 inport=55 haunit=0 priority=0 rst_cause="[0x19c31f8:1129] Packet filter (reject)" peerremote=00000000:00000000:00000000:00000000 peerlocal=00000000:00000000:00000000:00000000 remoteport=0 localport=0 proto=0 vlan=0
ssh from 172.28.24.1
[root@ve11a:Active:In Sync] config tcpdump -nni external -s0 port 22
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on external, link-type EN10MB (Ethernet), capture size 65535 bytes
21:32:28.809053 IP 172.28.24.1.57974 > 172.28.24.11.22: S 1580176754:1580176754(0) win 5840 (mss 1460,sackOK,timestamp 2820769471 0,nop,wscale 7) in slot1/tmm0 lis=
21:32:28.811440 IP 172.28.24.11.22 > 172.28.24.1.57974: S 4205142154:4205142154(0) ack 1580176755 win 18460 (mss 1460,sackOK,timestamp 1029499504 2820769471,nop,wscale 7) out slot1/tmm0 lis=
21:32:28.813215 IP 172.28.24.1.57974 > 172.28.24.11.22: . ack 1 win 46 (nop,nop,timestamp 2820769475 1029499504) in slot1/tmm0 lis=
How about if I select "Discard" in the Unhandled Packet Action when enabling packet filter? Is it going to stop the other traffic?
yes including traffic to virtual server