Applies To:

Show Versions Show Versions

Manual Chapter: Access Control Lists
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Overview

You can implement two kinds of access control on the BIG-IP system -- Packet filters and iRules.

Packet filter configuration

Packet filters enhance network security by specifying whether a BIG-IP system interface should accept or reject certain packets based on criteria that you specify. Packet filters enforce an access policy on incoming traffic. They apply to incoming traffic only.

Packet filtering is global and takes precedence over virtual server access control. However, filtering typically works best when you configure both packet filters and virtual server access control on the system. While packet filters allow or deny traffic based solely on the source of the traffic, regardless of destination, virtual servers can filter traffic destined for a particular IP address. When the traffic reaches the virtual server address, the BIG-IP system uses the assigned iRule to allow or deny the traffic based on some criteria specified in the iRule.

You implement packet filtering by creating packet filter rules. The primary purpose of a packet filter rule is to define the criteria that you want the BIG-IP system to use when filtering packets. Examples of criteria that you can specify in a packet filter rule are:

  • The source IP address of a packet
  • The destination IP address of a packet
  • The destination port of a packet

You specify the criteria for applying packet filter rules within an expression. When creating a packet filter rule, you can instruct the BIG-IP system to build an expression for you, in which case you need only choose the criteria from predefined lists, or you can write your own expression text, using the syntax of the tcpdump utility.

You can also configure global packet filtering that applies to all packet filter rules that you create, such as specifying a specific MAC address or IP address to accept or reject.

Note: Packet filters generate additional log messages.

Enabling packet filtering on the BIG-IP system

Before creating a packet filtering rule, you must enable packet filtering.
  1. On the Main tab, click Network > Packet Filters. The Packet Filters screen opens.
  2. From the Packet Filtering list, select Enabled.
  3. From the Unhandled Packet Action list, select Accept.
  4. Click Update.
Packet filtering is enabled.

Creating a packet filter rule to allow traffic

When implementing this firewall implementation, you must create a packet filter rule that specifies an IP address for the type of traffic that the BIG-IP system accepts. In the example below, the packet filter is created to allow traffic from a specific network, on VLAN external.
  1. On the Main tab, click Network > Packet Filters. The Packet Filters screen opens.
  2. Click Rules.
  3. Click Create.
  4. In the Name field, type a name for the rule.
  5. From the Order list, select First.
  6. From the Action list, select Accept.
  7. If rate shaping is enabled, then from the Rate Class list, select a rate class.
  8. From the VLAN / Tunnel list, select external.
  9. From the Logging list, select Enabled.
  10. From the Filter Expression Method list, select Enter Expression Text. This displays the Filter Expression box.
  11. In the Filter Expression field, type an expression. For example: ( src net 10.133.96.0/24 )
  12. Click Finished.
The BIG-IP system now has a packet filter rule that accepts inbound traffic from network 10.133.96.0/24 on VLAN external.

Creating a packet filter rule to deny traffic

When implementing packet filtering, you can create a packet filter rule that rejects all traffic on VLAN external, except for any traffic to which another packet filter rule is applied. In the example below, the packet filter is created to deny all traffic except for that on VLAN external, and except that from a particular network specified in a separate packet filter rule.
  1. On the Main tab, click Network > Packet Filters. The Packet Filters screen opens.
  2. Click Rules.
  3. Click Create.
  4. In the Name field, type a name for the rule.
  5. From the Order list, select Last.
  6. From the Action list, select Reject.
  7. From the VLAN / Tunnel list, select external.
  8. From the Logging list, select Enabled.
  9. From the Filter Expression Method list, select Enter Expression Text. This displays the Filter Expression box.
  10. Click Finished.
You now have a packet filter rule that denies all traffic except traffic to which another packet filter rules applies.

Application-specific access control using iRules

You can protect internal network resources by creating an iRule and then assigning the iRule to one or more virtual servers. A common use of such an iRule is to allow traffic that is destined for one or more specified IP addresses to access network resources.

You can assign an iRule to a virtual server either when you create the virtual server, or by modifying the properties of an existing virtual server.

You can find more examples of iRules on F5 Networks DevCentral web site, located at http://devcentral.f5.com.

Sample address and string data groups

To enable virtual servers to control access to internal network resources, you can create an iRule that calls a string type of data group. The string data group lists each virtual server, and associates each virtual server with a second, address type of data group. This second data group lists the IP addresses that the virtual servers specifically allow.

This example shows an address data group named /Common/shownetworks. This data group is defined within the bigip.conf file, and lists the IP addresses that the two virtual servers /Common/FWtest-bigIP1 and /Common/Web-bigIP1 allow into the network.

data-group internal /Common/dg-dcf-net-shownetworks { records { 10.3.1.101/32 10.3.1.102/32 10.1.1.101/32 } type ip

Once you create this address data group, you can create a string data group that maps each virtual server to data group /Common/shownetworks.

The following example shows the definition of a string data group named dg-dcf-fwdb within the bigip.conf file. This data group names two virtual servers (/Common/FWtest-bigIP1 and /Common/Web-bigIP1), where each virtual server is associated with the address data group /Common/dg-dcf-net-shownetworks. When you create an iRule for access control, you then assign the name of this data group to the static variable fwdb (set static::fwdb "dg-dcf-fwdb").

data-group internal /Common/dg-dcf-fwdb { records { /Common/fwtest-bigip1 { data dg-dcf-net-shownetworks } /Common/web-bigip1 { data dg-dcf-net-shownetworks } } type string
Important: When specifying virtual server names within a string data group, you must define all names in lowercase characters. The actual virtual server names, however, can be a combination of uppercase and lowercase characters.

A sample iRule for allowing IP addresses

The following sample shows an iRule that is assigned to a virtual server. This iRule allows access to internal network resources for certain IP addresses that you list in a data group. The iRule itself references a string type of data group that references the data group of IP addresses.

You can copy this iRule from this example and paste it into the relevant BIG-IP Configuration utility screen for creating an iRule.

when CLIENT_ACCEPTED { while {1} { set dcfw_vdg [ class match -value [virtual name] equals /Common/iruletest.app/MAPPING_DATA_GROUP ] if { ! [ class exists $dcfw_vdg ] } { break } if { ! [ class match [IP::remote_addr] equals $dcfw_vdg ] } { break } return } discard }

A sample iRule for denying IP addresses

The following sample shows an iRule that is assigned to a virtual server. This iRule denies access to internal network resources for certain IP addresses that you list in a data group. The iRule itself references a string type of data group that references the data group of IP addresses.

You can copy this iRule from this example and paste it into the relevant BIG-IP Configuration utility screen for creating an iRule.

when CLIENT_ACCEPTED { while {1} { set dcfw_vdg [ class match -value [virtual name] equals /Common/iruletest.app/MAPPING_DATA_GROUP ] if { ! [ class exists $dcfw_vdg ] } { break } if { [ class match [IP::remote_addr] equals $dcfw_vdg ] } { break } return } discard }

A sample iRule for allowing IP addresses and for high-speed logging

The following sample shows an iRule that allows access to internal network resources for certain IP addresses that you list in a data group. The iRule itself references a string type of data group that references the data group of IP addresses.

In addition to defining the IP addresses that the BIG-IP system allows for the virtual servers, this iRule defines the format of the log output for allow and deny messages.

You can copy this iRule from this example and paste it into the relevant BIG-IP Configuration utility screen for creating an iRule.

when RULE_INIT { set static::dcfw_yourname_dbg 0 # define in this list the hsl destinations set static::dcfw_yourname_hsps {{/Common/POOL_NAME_FOR_HSL}} set static::dcfw_yourname_hostname "YOUR_HOST_NAME/>" set static::dcfw_yourname_module "F5-LTM" set static::dcfw_yourname_msgid "1" set static::dcfw_mapping_dg {{/Common/DCFW_MAPPING_DATA_GROUP}} } when CLIENT_ACCEPTED { set src [IP::remote_addr] set dst [IP::local_addr] set dcfw_yourname_vdg "default-deny" switch [IP::protocol] { 6 { set srcp [TCP::remote_port] set dstp [TCP::local_port] } 17 { set srcp [UDP::remote_port] set dstp [UDP::local_port] } default { set srcp 0 set dstp 0 } } while {1} { set dcfw_vdg [ class match -value [virtual name] equals $dcfw_mapping_dg ] if { ! [ class exists $dcfw_vdg ] } { break } if { ! [ class match [IP::remote_addr] equals $dcfw_vdg ] } { break } return } set msg "[clock format [clock seconds] -format "%Y-%m-%d %H:%M:%S" ] $static::dcfw_yourname_hostname $static::dcfw_yourname_module $dcfw_yourname_vdg $static::dcfw_yourname_msgid deny [IP::protocol] $src $srcp $dst $dstp [virtual name] $src $dst -" if { $static::dcfw_yourname_dbg } { log local0. $msg } foreach hsp $static::dcfw_yourname_hsps { set hsl [HSL::open -proto UDP -pool $hsp] HSL::send $hsl $msg unset hsl } discard } when SERVER_CONNECTED { set msg "[clock format [clock seconds] -format "%Y-%m-%d %H:%M:%S" ] $static::dcfw_yourname_hostname $static::dcfw_yourname_module $dcfw_yourname_vdg $static::dcfw_yourname_msgid accept [IP::protocol] $src $srcp $dst $dstp [virtual name] [IP::local_addr] [IP::remote_addr] -" #Debug - Log Local For Testing if { $static::dcfw_yourname_dbg } { log local0. $msg } foreach hsp $static::dcfw_yourname_hsps { set hsl [HSL::open -proto UDP -pool $hsp] HSL::send $hsl $msg unset hsl } unset -nocomplain src dst srcp dstp msg dcfw_yourname_vdg }

A sample iRule for denying IP addresses and for high-speed logging

The following sample shows an iRule that denies access to internal network resources for certain IP addresses that you list in a data group. The iRule itself references a string type of data group that references the data group of IP addresses.

In addition to defining the IP addresses that the BIG-IP system denies for the virtual servers, this iRule defines the format of the log output for allow and deny messages.

You can copy this iRule from this example and paste it into the relevant BIG-IP Configuration utility screen for creating an iRule.

when RULE_INIT { set static::dcfw_yourname_dbg 0 # define in this list the hsl destinations set static::dcfw_yourname_hsps {{/Common/POOL_NAME_FOR_HSL}} set static::dcfw_yourname_hostname "YOUR_HOST_NAME/>" set static::dcfw_yourname_module "F5-LTM" set static::dcfw_yourname_msgid "1" set static::dcfw_mapping_dg {{/Common/DCFW_MAPPING_DATA_GROUP}} } when CLIENT_ACCEPTED { set src [IP::remote_addr] set dst [IP::local_addr] set dcfw_yourname_vdg "default-deny" switch [IP::protocol] { 6 { set srcp [TCP::remote_port] set dstp [TCP::local_port] } 17 { set srcp [UDP::remote_port] set dstp [UDP::local_port] } default { set srcp 0 set dstp 0 } } while {1} { set dcfw_vdg [ class match -value [virtual name] equals $dcfw_mapping_dg ] if { ! [ class exists $dcfw_vdg ] } { break } if { [ class match [IP::remote_addr] equals $dcfw_vdg ] } { break } return } set msg "[clock format [clock seconds] -format "%Y-%m-%d %H:%M:%S" ] $static::dcfw_yourname_hostname $static::dcfw_yourname_module $dcfw_yourname_vdg $static::dcfw_yourname_msgid deny [IP::protocol] $src $srcp $dst $dstp [virtual name] $src $dst -" if { $static::dcfw_yourname_dbg } { log local0. $msg } foreach hsp $static::dcfw_yourname_hsps { set hsl [HSL::open -proto UDP -pool $hsp] HSL::send $hsl $msg unset hsl } discard } when SERVER_CONNECTED { set msg "[clock format [clock seconds] -format "%Y-%m-%d %H:%M:%S" ] $static::dcfw_yourname_hostname $static::dcfw_yourname_module $dcfw_yourname_vdg $static::dcfw_yourname_msgid accept [IP::protocol] $src $srcp $dst $dstp [virtual name] [IP::local_addr] [IP::remote_addr] -" #Debug - Log Local For Testing if { $static::dcfw_yourname_dbg } { log local0. $msg } foreach hsp $static::dcfw_yourname_hsps { set hsl [HSL::open -proto UDP -pool $hsp] HSL::send $hsl $msg unset hsl } unset -nocomplain src dst srcp dstp msg dcfw_yourname_vdg }

High-speed logging using an iRule

The iRule that you use to allow certain source IP addresses to access network resources sends allow and deny messages to one or more specified high-speed logging pools, and defines the format of those log messages.

You specify the log pools in the iRule as the value of a static variable for high-speed logging (for example, set static::dcfw_yourname_hsps {{logger1} {logger2} {logger3}}).

The sample iRule logs messages in this format:

# date = 4DIGIT "-" 2DIGIT "-" 2DIGIT ;year-month-day (e.g. 2012-03-23) # time = 2DIGIT ":" 2DIGIT ":" 2DIGIT ; 00:00:00 - 23:59:59 # deviceid = F5 device name # facility = message generating module, e.g. F5-LTM # ruleid = String srcipdataclassname # messageid = DIGIT (numerical ID used to ID the format the log message is sent in) # action = ("allow" | "deny") # protocol = DIGIT (numerical ip protocol/IANA ) # source-ip = (ipv4 | ipv6 address) # source-port = DIGIT ( numerical source protocol port) # destination-ip = (ipv4 | ipv6 address) # destination-port = DIGIT ( numerical source protocol port) # virtual = virtual server name # snat-ip = (ipv4 | ipv6 address) translated SNAT IP # dnat-ip = (ipv4 | ipv6 address) translated DNAT IP # comment = empty for future use

The following is an example of a resulting log message: 2012-05-31 14:53:33 BigIP-1 F5-LTM dg-dcf-net-my_addr_datagroup 1 allow 6 10.3.1.102 55463 10.1.1.201 16018 /Common/FWtest-BigIP1 10.1.0.239 10.1.101.102 -

Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)