Applies To:

Show Versions Show Versions

Manual Chapter: Access Control Lists
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Overview

You can implement two kinds of access control on the BIG-IP system -- Packet filters and iRules.

Packet filter configuration

Packet filters enhance network security by specifying whether a BIG-IP system interface should accept or reject certain packets based on criteria that you specify. Packet filters enforce an access policy on incoming traffic. They apply to incoming traffic only.

Packet filtering is global and takes precedence over virtual server access control. However, filtering typically works best when you configure both packet filters and virtual server access control on the system. While packet filters allow or deny traffic based solely on the source of the traffic, regardless of destination, virtual servers can filter traffic destined for a particular IP address. When the traffic reaches the virtual server address, the BIG-IP system uses the assigned iRule to allow or deny the traffic based on some criteria specified in the iRule.

You implement packet filtering by creating packet filter rules. The primary purpose of a packet filter rule is to define the criteria that you want the BIG-IP system to use when filtering packets. Examples of criteria that you can specify in a packet filter rule are:

  • The source IP address of a packet
  • The destination IP address of a packet
  • The destination port of a packet

You specify the criteria for applying packet filter rules within an expression. When creating a packet filter rule, you can instruct the BIG-IP system to build an expression for you, in which case you need only choose the criteria from predefined lists, or you can write your own expression text, using the syntax of the tcpdump utility.

You can also configure global packet filtering that applies to all packet filter rules that you create, such as specifying a specific MAC address or IP address to accept or reject.

Note: Packet filters generate additional log messages.

Enabling packet filtering on the BIG-IP system

Before creating a packet filtering rule, you must enable packet filtering.
  1. On the Main tab, click Network > Packet Filters . The Packet Filters screen opens.
  2. From the Packet Filtering list, select Enabled.
  3. From the Unhandled Packet Action list, select Accept.
  4. Click Update.
Packet filtering is enabled.

Creating a packet filter rule to allow traffic

When implementing this firewall implementation, you must create a packet filter rule that specifies an IP address for the type of traffic that the BIG-IP system accepts. In the example below, the packet filter is created to allow traffic from a specific network, on VLAN external.
  1. On the Main tab, click Network > Packet Filters . The Packet Filters screen opens.
  2. Click Rules.
  3. Click Create.
  4. In the Name field, type a name for the rule.
  5. From the Order list, select First.
  6. From the Action list, select Accept.
  7. If rate shaping is enabled, then from the Rate Class list, select a rate class.
  8. From the VLAN / Tunnel list, select external.
  9. From the Logging list, select Enabled.
  10. From the Filter Expression Method list, select Enter Expression Text. This displays the Filter Expression box.
  11. In the Filter Expression field, type an expression. For example: ( src net 10.133.96.0/24 )
  12. Click Finished.
The BIG-IP system now has a packet filter rule that accepts inbound traffic from network 10.133.96.0/24 on VLAN external.

Creating a packet filter rule to deny traffic

When implementing packet filtering, you can create a packet filter rule that rejects all traffic on VLAN external, except for any traffic to which another packet filter rule is applied. In the example below, the packet filter is created to deny all traffic except for that on VLAN external, and except that from a particular network specified in a separate packet filter rule.
  1. On the Main tab, click Network > Packet Filters . The Packet Filters screen opens.
  2. Click Rules.
  3. Click Create.
  4. In the Name field, type a name for the rule.
  5. From the Order list, select Last.
  6. From the Action list, select Reject.
  7. From the VLAN / Tunnel list, select external.
  8. From the Logging list, select Enabled.
  9. From the Filter Expression Method list, select Enter Expression Text. This displays the Filter Expression box.
  10. Click Finished.
You now have a packet filter rule that denies all traffic except traffic to which another packet filter rules applies.

Application-specific access control using iRules

You can create an iRule to assign to a specific virtual server, to protect the network resources for which the virtual server processes traffic.

A common use of an iRule that you assign to a virtual server is to deny traffic destined for one or more specified IP addresses. For example, when the following iRule is assigned to a virtual server, any traffic passing through that virtual server that shows a source IP address of 4.4.4.4 is discarded.

when CLIENT_ACCEPTED { if { [IP::addr [IP::client_addr] equals 4.4.4.4] }{ discard } else { log local0. "Allowed Traffic" } }

You can assign an iRule to a virtual server either when you create the virtual server or by modifying the properties of an existing virtual server.

You can find more examples of iRules on F5 Networks DevCentral web site, located at http://devcentral.f5.com.

Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)