F5 Logo MyF5
Search
  1. MyF5 Home
  2. Knowledge Centers
  3. BIG-IP LTM
  4. BIG-IP TMOS: Implementations
  5. Configuring Packet Filtering
Manual Chapter : Configuring Packet Filtering

Applies To:

Show Versions Show Versions

BIG-IP AAM

  • 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0, 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0, 13.0.1, 13.0.0

BIG-IP APM

  • 17.1.1, 17.1.0, 17.0.0, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0, 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0, 13.0.1, 13.0.0

BIG-IP Analytics

  • 17.1.1, 17.1.0, 17.0.0, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0, 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0, 13.0.1, 13.0.0

BIG-IP Link Controller

  • 17.1.1, 17.1.0, 17.0.0, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.0.1, 16.0.0, 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0, 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0, 13.0.1, 13.0.0

BIG-IP LTM

  • 17.1.1, 17.1.0, 17.0.0, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0, 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0, 13.0.1, 13.0.0

BIG-IP PEM

  • 17.1.1, 17.1.0, 17.0.0, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0, 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0, 13.0.1, 13.0.0

BIG-IP AFM

  • 17.1.1, 17.1.0, 17.0.0, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0, 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0, 13.0.1, 13.0.0

BIG-IP DNS

  • 17.1.1, 17.1.0, 17.0.0, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0, 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0, 13.0.1, 13.0.0

BIG-IP FPS

  • 17.1.1

BIG-IP ASM

  • 17.1.1, 17.1.0, 17.0.0, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0, 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0, 13.0.1, 13.0.0, 11.5.8
Manual Chapter
Table of Contents | << Previous Chapter | Next Chapter >>

Overview: Setting up packet filtering

Packet filters enhance network security by specifying whether a BIG-IP® system interface should accept or reject certain packets based on criteria that you specify. Packet filters enforce an access policy on incoming traffic. They apply to incoming traffic only.

You implement packet filtering by creating packet filter rules. The primary purpose of a packet filter rule is to define the criteria that you want the BIG-IP system to use when filtering packets. Examples of criteria that you can specify in a packet filter rule are:

  • The source IP address of a packet
  • The destination IP address of a packet
  • The destination port of a packet

You specify the criteria for applying packet filter rules within an expression. When creating a packet filter rule, you can instruct the Configuration utility to build an expression for you, in which case you need only choose the criteria from predefined lists, or you can write your own expression text, using the syntax of the tcpdump utility.

Important: Unlike most IP address configuration settings in the BIG-IP Configuration utility that require the %ID notation for route domains other than route domain 0, the Source Hosts and Networks and Destination Hosts and Networks settings for packet filter rules accept IP addresses without the %ID route domain notation. This is because when you apply the packet filter rule to a VLAN, which belongs to a route domain, you are indirectly specifying which route domain’s traffic to filter.
Note: Packet filter rules are unrelated to iRules®.

You can also configure global packet filtering that applies to all packet filter rules that you create.

Task summary

By setting up some basic IP routing and configuring packet filtering, specific hosts on the internal VLAN can connect to the internal VLAN's self IP address. These hosts can also use common Internet services such as HTTP, HTTPS, DNS, FTP, and SSH. Traffic from all other hosts in the internal VLAN is rejected.

Task list

Enabling SNAT automap for internal and external VLANs

You can configure SNAT automapping on the BIG-IP system for internal and external VLANs.
  1. On the Main tab, click Local Traffic > Address Translation .
    The SNAT List screen displays a list of existing SNATs.
  2. Click Create.
  3. Name the new SNAT.
  4. From the Translation list, select Automap.
  5. For the VLAN / Tunnel List setting, in the Available list, select external and internal, and using the Move button, transfer the VLANs to the Selected list.
  6. Click the Finished button.
SNAT automapping on the BIG-IP system is configured for internal and external VLANs.

Creating a default gateway pool

Create a default gateway pool for the system to use to forward traffic.
  1. On the Main tab, click Local Traffic > Pools .
    The Pool List screen opens.
  2. Click Create.
    The New Pool screen opens.
  3. In the Name field, type a unique name for the pool.
  4. For the Health Monitors setting, from the Available list, select the gateway_icmp monitor and move the monitor to the Active list.
  5. Using the New Members setting, add each router that you want to include in the default gateway pool:
    1. Type the IP address of a router in the Address field.
    2. Type an asterisk (*) in the Service Port field, or select *All Services from the list.
    3. Click Add.
  6. Click Finished.

Creating a forwarding virtual server

A virtual server represents a destination IP address for application traffic.
  1. On the Main tab, click Local Traffic > Virtual Servers .
    The Virtual Server List screen opens.
  2. Click the Create button.
    The New Virtual Server screen opens.
  3. In the Name field, type a unique name for the virtual server.
  4. For a network, in the Destination Address field, type an IPv4 or IPv6 address in CIDR format to allow all traffic to be translated.
    The supported format is address/prefix, where the prefix length is in bits. For example, an IPv4 address/prefix is 0.0.0.0/0, and an IPv6 address/prefix is ::/0.
  5. From the Service Port list, select *All Ports.
  6. In the Configuration area of the screen, from the Type list, select Forwarding (IP).
  7. From the Protocol list, select *All Protocols.
  8. From the VLAN/Tunnel Traffic list, select Enabled On.
  9. For the VLAN List setting, from the Available box, select internal, and click the Move button to move the VLAN name to the Selected box.

  11. In the Resources area of the screen, locate the Default Pool setting and select the pool you created previously.
  12. Click Finished.
You now have a destination IP address on the BIG-IP system for application traffic.

Enabling packet filtering

Before creating a packet filtering rule, you must enable packet filtering. When you enable packet filtering, you can specify the MAC addresses, IP addresses, and VLANs that you want to be exempted from packet filter evaluation.
  1. On the Main tab, click Network > Packet Filters .
    The Packet Filters screen opens.
  2. From the Packet Filtering list, select Enabled.
  3. From the Unhandled Packet Action list, select Accept.
  4. For the Options setting, retain the default value or select the check boxes as needed.
  5. For the Protocols setting, retain the default value or clear the check boxes as needed.
  6. From the MAC Addresses list, specify a value:
    Value Description
    None When you select this value, all MAC addresses are exempt from packet filter evaluation.
    Always Accept When you select this value, you can specify the MAC addresses that are exempt from packet filter evaluation, and the BIG-IP Configuration utility displays additional settings.
  7. If you directed the MAC Addresses setting to always accept specific MAC addresses, provide the details:
    1. In the Add field, type a MAC address and click Add.
      The MAC address appears in the MAC Address List field.
    2. Repeat this step for each MAC address that you want the system to exempt from packet filter evaluation.
  8. From the IP Addresses list, specify a value:
    Value Description
    None When you select this value, all IP addresses are exempt from packet filter evaluation.
    Always Accept When you select this value, you can specify the IP addresses that are exempt from packet filter evaluation. The BIG-IP Configuration utility displays additional settings.
  9. If you directed the IP Addresses setting to always accept specific IP addresses, provide the details:
    1. In the Add field, type an IP address and click Add.
      The IP address appears in the IP Address List field.
    2. Repeat this step for each IP address that you want the system to exempt from packet filter evaluation.
  10. From the VLANs list, specify a value:
    Value Description
    None When you select this value, all VLANs are exempt from packet filter evaluation.
    Always Accept When you select this value, you can specify the VLANs that are exempt from packet filter evaluation. The BIG-IP Configuration utility displays additional settings.
  11. If you configured the VLANs setting to always accept specific VLANs, then use the Move button to move one or more VLAN names from the Available list to the Selected list.
  12. Click Update.
After you enable packet filtering, the BIG-IP® system filters packets according to the criteria in the packet filter rule and the values you configured when enabling the packet filter.

Creating a packet filter rule

When implementing packet filtering, you need to create a packet filter rule.
  1. On the Main tab, click Network > Packet Filters .
    The Packet Filters screen opens.
  2. Click Rules.
  3. Click Create.
  4. Name the rule.
  5. From the Order list, select First.
  6. From the Action list, select Reject.
  7. From the Rate Class list, select a rate class if one exists on the system.
    You cannot use this setting if you have bandwidth control policy on the system.
  8. From the Bandwidth Controller list, select a bandwidth controller policy if one exists on the system.
    You cannot use this setting if you have a rate class on the system.
  9. From the VLAN / Tunnel list, select internal.
  10. From the Logging list, select Enabled.
  11. From the Filter Expression Method list, select Enter Expression Text.
  12. In the Filter Expression field, choose a value:
    • Enter Expression Text. For example: not dst port 80 and not dst port 443 and not dst port 53 and not dst port 22 and not dst port 20 and not dst port 21 and not dst host internal_self_IP_address
      Note: Replace internal_self_IP_address with the actual self IP address of VLAN internal.
    • Build Expression. When you select this value, you can build an expression that causes the BIG-IP system to only accept certain protocols, source hosts and networks, destination hosts and networks, and destination ports.
      Important: Unlike most IP address configuration settings in the BIG-IP Configuration utility that require the %ID notation for route domains other than route domain 0, the Source Hosts and Networks and Destination Hosts and Networks settings for packet filter rules accept IP addresses without the %ID route domain notation. This is because when you apply the packet filter rule to a VLAN, which belongs to a route domain, you are indirectly specifying which route domain’s traffic to filter.
  13. Click Finished.
The packet filter rule is now available for the BIG-IP system to use.
Table of Contents | << Previous Chapter | Next Chapter >>
Contact Support Contact Support

Have a Question?

Support and Sales >

About F5

Education

F5 Sites

Support Tasks




©2023 F5 Networks, Inc. All rights reserved.


Trademarks Policies Privacy California Privacy Do Not Sell My Personal Information