Assuming you are talking about LTM Virtual Servers, it is useful to distinguish two concepts: a Virtual IP and a Virtual Server. A Virtual IP is just that: an IP addresses for which the BIG-IP may accept traffic. A Virtual Server is a Virtual IP, a port and a protocol. A BIG-IP will reject all traffic that matches a VIP but does not match a Virtual Server -- unless you change the global setting for this, but you have to go out of your way to do that. If, on the other hand, a wildcard VS (that is, a Virtual Server listening on all ports) is defined for a VIP, naturally, traffic for any port will be accepted. Finally, if a VIP matches a self-IP, the self-IP may accept local traffic. But you should avoid this type of configuration.
Ordinarily you should not need an iRule or something similar to prevent traffic.