Applies To:

Show Versions Show Versions

Manual Chapter: Setting Up Packet Filtering
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

19 
Packet filters enhance network security by specifying whether a BIG-IP® system interface should accept or reject certain packets based on criteria that you specify. Packet filters enforce an access policy on incoming traffic. They apply to incoming traffic only.
You implement packet filtering by creating packet filter rules. The primary purpose of a packet filter rule is to define the criteria that you want the BIG-IP system to use when filtering packets. Examples of criteria that you can specify in a packet filter rule are:
You specify the criteria for applying packet filter rules within an expression. When creating a packet filter rule, you can instruct the Configuration utility to build an expression for you, in which case you need only choose the criteria from predefined lists, or you can write your own expression text, using the syntax of the tcpdump utility. For more information on the tcpdump utility, see the online man page for the tcpdump command.
You can also configure global packet filtering that applies to all packet filter rules that you create. The following sections describe how to set global packet filtering options, and how to create and manage individual packet filters rules.
By setting up some basic IP routing and configuring packet filtering, specific hosts on the internal VLAN can connect to the internal VLANs self IP address. These hosts can also use common Internet services such as HTTP, HTTPS, DNS, FTP, and SSH. Traffic from all other hosts in the internal VLAN is rejected.
1.
On the Main tab of the navigation pane, expand Local Traffic, and click SNATs.
The SNATs screen opens.
2.
In the upper-right corner, click Create.
The New SNAT screen opens.
Note: If the Create button is unavailable, this indicates that your user role does not grant you permission to create a SNAT.
3.
In the Name box, type a unique name for the SNAT.
4.
From the Translation list, select Automap.
5.
From the VLAN Traffic list, select Enabled On.
This displays the VLAN List setting.
6.
For the VLAN List setting, from the Available box select internal and external, and click the Move button (<<) to move the VLAN names to the Selected box.
7.
Click Finished.
1.
On the Main tab of the navigation pane, expand Local Traffic, and click Pools.
The Pools screen opens.
2.
In the upper-right corner of the screen, click Create.
The New Pool screen opens.
Note: If the Create button is unavailable, this indicates that your user role does not grant you permission to create a pool.
3.
In the Name box, type a name for the pool, such as gateway_pool.
4.
In the Resources area of the screen, use the New Members setting to add the pool members.
The members you add are router IP addresses.
5.
Click Finished.
1.
On the Main tab of the navigation pane, expand Local Traffic, and click Virtual Servers.
The Virtual Servers screen opens.
2.
In the upper-right corner of the screen, click Create.
The New Virtual Server screen opens.
Note: If the Create button is unavailable, this indicates that your user role does not grant you permission to create a virtual server.
3.
In the Name box, type a name for the virtual server, such as vs_packetfilter.
4.
For the Destination setting:
a)
For Type, select Network.
b)
In the Address box, type the IP address 0.0.0.0.
c)
In the Mask box, type the netmask 0.0.0.0.
5.
From the Service Port list, select *All Ports.
6.
In the Configuration area of the screen, locate the Type setting and select Forwarding (IP).
7.
From the Protocol list, select *All Protocols.
8.
From the VLAN Traffic list, select Enabled On.
9.
For the VLAN List setting, from the Available box select internal, and click the Move button (<<) to move the VLAN name to the Selected box.
10.
In the Resources area of the screen, locate the Default Pool setting and select the pool you created previously (gateway_pool).
11.
Click Finished.
The final task in implementing packet filtering is to create a packet filter rule. Note that a packet filter rule is different from an iRule.
1.
On the Main tab of the navigation pane, expand Network, and click Packet Filters.
This displays the setting to enable or disable packet filtering.
2.
From the Packet Filtering list, select Enabled.
This displays additional settings.
3.
From the Unhandled Packet Action list, select Accept.
4.
Click Update.
5.
On the menu bar, click Rules.
This displays a list of existing packet filter rules, if any.
6.
On the upper right corner of the screen, click Create.
The New Packet Filter Rule screen opens.
Note: If the Create button is unavailable, this indicates that your user role does not grant you permission to create a packet filter rule.
7.
In the Name box, type a packet filter name, such as pf_internal.
8.
From the Order list, select First.
9.
From the Action list, select Reject.
10.
From the Apply to VLAN list, select internal.
11.
From the Logging list, select Enabled.
12.
From the Filter Expression Method list, select Enter Expression Text.
This displays the Filter Expression text box.
not dst port 80 and not dst port 443 and not dst port 53 and no dst port 22 and not dst port 20 and not dst port 21 and not dst host <internal self IP address>
Note: Replace <internal self IP address> with the actual self IP address of VLAN internal. Also, see the tcpdump man page for general information about building expresssions.
14.
Click Finished.
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)