VIP listening on other ports other than defined

Question

Have a Virtual server which is hosting traffic from internet and is hosting service port SMTP & UDP 53 . As per the vulnerability check its been found that the VIP is open also on SNMP and cpuple of other ports . Can you restrict other ports access from outside through an Irule ? can anyone please advice on the same

vernon_97235 · Answer

Assuming you are talking about LTM Virtual Servers, it is useful to distinguish two concepts: a Virtual IP and a Virtual Server. A Virtual IP is just that: an IP addresses for which the BIG-IP may accept traffic. A Virtual Server is a Virtual IP, a port and a protocol. A BIG-IP will reject all traffic that matches a VIP but does not match a Virtual Server -- unless you change the global setting for this, but you have to go out of your way to do that. If, on the other hand, a wildcard VS (that is, a Virtual Server listening on all ports) is defined for a VIP, naturally, traffic for any port will be accepted. Finally, if a VIP matches a self-IP, the self-IP may accept local traffic. But you should avoid this type of configuration.&nbsp;
Ordinarily you should not need an iRule or something similar to prevent traffic.&nbsp;

vernonwells · Answer

Assuming you are talking about LTM Virtual Servers, it is useful to distinguish two concepts: a Virtual IP and a Virtual Server. A Virtual IP is just that: an IP addresses for which the BIG-IP may accept traffic. A Virtual Server is a Virtual IP, a port and a protocol. A BIG-IP will reject all traffic that matches a VIP but does not match a Virtual Server -- unless you change the global setting for this, but you have to go out of your way to do that. If, on the other hand, a wildcard VS (that is, a Virtual Server listening on all ports) is defined for a VIP, naturally, traffic for any port will be accepted. Finally, if a VIP matches a self-IP, the self-IP may accept local traffic. But you should avoid this type of configuration.&nbsp;
Ordinarily you should not need an iRule or something similar to prevent traffic.&nbsp;

sree_87068 · Answer

Thanks for your response . Apologize for not being clear in my query . I am referring to Virtual server . Currently Virtual server is defined as VIP:25 (TCP) &amp; VIP:53(UDP) on LTM running Ver 10.2.4 . But during the scan its been found same VIP is also accepting on VIP: 161 (TCP)  &amp; VIP: 8080 . As per my understanding the traffic must be dropped by LTM when traffic is destined to VIP on port which is not defined ..Please do correct me if i am wrong ..

sree_87068 · Answer

Thanks for your response . Apologize for not being clear in my query . I am referring to Virtual server . Currently Virtual server is defined as VIP:25 (TCP) &amp; VIP:53(UDP) on LTM running Ver 10.2.4 . But during the scan its been found same VIP is also accepting on VIP: 161 (TCP)  &amp; VIP: 8080 . As per my understanding the traffic must be dropped by LTM when traffic is destined to VIP on port which is not defined ..Please do correct me if i am wrong ..

ajay_102032 · Answer

LTM will not accept the traffic unless you defined to accept (proxy thing).  What do you see in the capture? is 'not defined' traffic getting dropped at VIP ?&nbsp;

Forum Discussion

VIP listening on other ports other than defined

6 Replies

Recent Discussions

BIG-IP DNS: Check Status Of Multiple Monitors Against Pool Member

Open Redirection Mitigation

F5Access | MacOS Sonoma

enable tls1.2 on management interface on F5 ltm running version 10.x

[ASM] - what is "Browser Challenge file" ?

Related Content

F5 Distributed Cloud - Listener Logic

How to listen to the DevCentral Podcasts

UDP DNS listener doesn't resolve DNS query but TCP DNS listener can

Disable vip that is listening on different ports

Configuring listener IP for TCP