Manual Chapter :
Packet Filters
Applies To:
Show VersionsBIG-IP AAM
- 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0
BIG-IP APM
- 17.1.1, 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0
BIG-IP Analytics
- 17.1.1, 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0
BIG-IP Link Controller
- 17.1.1, 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0
BIG-IP LTM
- 17.1.1, 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0
BIG-IP PEM
- 17.1.1, 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0
BIG-IP AFM
- 17.1.1, 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0
BIG-IP DNS
- 17.1.1, 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0
BIG-IP ASM
- 17.1.1, 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0
Packet Filters
Introduction to packet filtering
Packet filters enhance network security by specifying whether a BIG-IP® system interface should accept or reject certain packets based on criteria that you specify. Packet filters enforce an access policy on incoming traffic. They apply to incoming traffic only.
You implement packet filtering by creating packet filter rules, using the BIG-IP Configuration
utility. The primary purpose of a packet filter rule is to define the criteria that you want the
BIG-IP system to use when filtering packets. Examples of criteria that you can specify in a
packet filter rule are:
- The source IP address of a packet
- The destination IP address of a packet
- The destination port of a packet
You specify the criteria for applying packet filter rules within an expression. When creating a
packet filter rule, you can instruct the BIG-IP system to build an expression for you, in which
case you need only choose the criteria from predefined lists, or you can write your own
expression text, using the syntax of the
tcpdump
utility. For more information
on the tcpdump
utility, see the online man page for the
tcpdump
command.Unlike most IP address
configuration settings in the BIG-IP Configuration utility that require the
%ID
notation for route domains other than route domain
0
, the Source Hosts and Networks
and
Destination Hosts and Networks
settings for packet filter rules accept IP
addresses without the %ID
route domain notation. This is because when you
apply the packet filter rule to a VLAN, which belongs to a route domain, you are indirectly
specifying which route domain’s traffic to filter.Packet filter rules are unrelated to iRules®
You can also configure global packet filtering that applies to all packet filter rules that you create.
Global settings
Global settings for packet filtering are divided into two categories: Properties and Exemptions. The BIG-IP® system applies global settings to all packets coming into the BIG-IP system.
Note that one of the global settings, Packet Filtering, enables packet filtering. When you disable this setting, no packet filter settings or packet filter rules operate, and the BIG-IP system allows all traffic by default.
Global properties
You can configure three specific global properties for packet filtering.
Packet filter enabling
Before you can implement packet filtering on the BIG-IP® system, you must
enable the packet filter feature. You do this by changing the
Packet
Filtering
setting to Enabled
. The default setting for packet
filtering is Disabled
.Control of unhandled packets
Sometimes a packet does not match any of the criteria that you have specified in the packet
filter rules that you have created. For this reason, you must configure the
Unhandled
Packet Action
property, which specifies the action that the BIG-IP system should take
when the packet does not match packet filter rule criteria.Possible values for this setting are
Accept
,
Discard
, and Reject
. The default value is
Accept
.Changing the default value of the Unhandled Packet Action property can
produce unwanted consequences. Before changing this value to
Discard
or
Reject
, make sure that any traffic that you want the BIG-IP system to
accept meets the criteria specified in your packet filter rules.Other options
Using the Options property, you can configure two other options:
- Filter established connections
- When you enable (check) this option, the BIG-IP system filters all ingress packets, even if the packets are part of an existing connection. The default setting is disabled (unchecked). Note that checking this option does not typically enhance security, and can impact system performance.
- Send ICMP error on packet reject
- When you enable (check) this option, the system sends an ICMP type 3 (destination unreachable), code 13 (administratively prohibited) packet when an ingress packet is rejected. When you disable (clear) this option, the BIG-IP system sends an ICMP reject packet that is protocol-dependent. The default setting for this option is disabled (cleared).
Global exemptions
There are a number of exemptions you can set for packet filtering. When filtering packets,
the BIG-IP® system always applies these exemptions, effectively overriding
certain criteria you might have previously set within an individual packet filter rule.
VLANs
Using the
VLANs
setting, you can configure the BIG-IP system so that
traffic from one or more specified VLANs is exempt from packet filtering. In this case, the
system does not attempt to match packets from the specified VLAN or VLANs to any packet filter
rule. Instead, the BIG-IP system always accepts traffic from the specified VLAN or VLANs.For example, if you specify VLAN internal, then no incoming packets from VLAN internal are subject to packet filtering, even if a packet matches the criteria of a packet filter rule.
Possible values are:
- Always Accept
- When you select this value, a VLAN List setting appears. You can then specify one or more VLANs from which traffic should be exempt from packet filtering.
- None
- When you select this value, traffic from all VLANs is subject to packet filtering, according to existing packet filter rule criteria. This is the default value.
Protocols
With the
Protocols
setting, you can specify whether ARP and certain ICMP
messages are exempt from packet filtering. The individual settings are:- Always accept ARP
- When you enable (check) this setting, the system automatically accepts all ARP packets and therefore does not subject them to packet filtering. The default setting is enabled (checked).
- Always accept important ICMP
- When you enable (check) this setting, the system automatically accepts the following ICMP packet types for IPv4, and therefore does not subject them to packet filtering:
- UNREACH
- SOURCEQUENCH
- REDIRECT
- TIMEXCEED
MAC addresses
You can use the
MAC Addresses
setting to exempt traffic from certain
MAC addresses from packet filtering. Possible values are:- Always Accept
- When you select this value, a MAC Address List setting appears. You can then specify one or more MAC addresses from which traffic should be exempt from packet filtering.
- None
- When you select this value, traffic from all MAC addresses is subject to packet filtering, according to existing packet filter rule criteria. This is the default value.
IP addresses
You can use the
IP Addresses
setting to exempt traffic from certain IP
addresses from packet filtering. Possible values are:- Always Accept
- When you select this value, an IP Address List setting appears. You can then specify one or more IP addresses from which traffic should be exempt from packet filtering.
- None
- When you select this value, traffic from all IP addresses is subject to packet filtering, according to existing packet filter rule criteria. This is the default value.
VLANs
Using the
VLANs
setting, you can configure the BIG-IP® system so that traffic from one or more specified VLANs is exempt from packet
filtering. In this case, the system does not attempt to match packets from the specified VLAN or
VLANs to any packet filter rule. Instead, the BIG-IP system always accepts traffic from the
specified VLAN or VLANs.For example, if you specify VLAN internal, then no incoming packets from VLAN internal are
subject to packet filtering, even if a packet matches the criteria of a packet filter rule.
Possible values are:
- Always Accept
- When you select this value, aVLAN Listsetting appears. You can then specify one or more VLANs from which traffic should be exempt from packet filtering.
- None
- When you select this value, traffic from all VLANs is subject to packet filtering, according to existing packet filter rule criteria. This is the default value.
Order of packet filter rules
You use the
Order
setting to specify the order in which you want the BIG-IP® system to apply existing packet filter rules. This setting is required.
Possible values for this setting are:- First
- Select this value if you want this packet filter rule to be the first rule that the BIG-IP system applies.
- Last
- Select this value if you want this packet filter rule to be the last rule that the BIG-IP system applies.
- After
- Select this value, and then select a packet filter rule from the list, if you want the system to apply this packet filter after the packet filter that you select from the list. Note that this setting is most useful when you have more than three packet filter rules configured.
About the action setting in packet filter rules
When a packet matches the criteria that you have specified in a packet filter rule, the BIG-IP® system can take a specific action. You define this action using the
Action
setting. You can choose one of these actions:- Accept
- SelectAcceptif you want the system to accept the packet, and stop processing additional packet filter rules, if any exist. This is the default setting.
- Discard
- SelectDiscardif you want the system to drop the packet, and stop processing additional packet filter rules, if any exist.
- Reject
- SelectRejectif you want the system to drop the packet, and also send a rejection packet to the sender, indicating that the packet was refused. Note that the behavior of the system when you select theRejectaction depends on how you configured the general packet filter Options property, Send ICMP Error on Packet Reject.
- Continue
- SelectContinueif you simply want the system to acknowledge the packet for logging or statistical purposes. Setting theActionvalue toContinuedoes not affect the way that the BIG-IP system handles the packet; the system continues to evaluate traffic matching a rule, starting with the next packet filter rule listed.
Rate class assignment
Using the
Rate Class
setting, you can assign a rate class to traffic
that matches the criteria defined in a packet filter rule. Note that this setting applies only
when you have the rate shaping feature enabled.The default value for this setting is None. If you previously created rate classes using the
rate shaping feature, you can choose one of those rate classes from the
Rate
Class
list.One or more VLANs
You use the
Apply to VLAN
setting to display a list of VLANs and then
select a VLAN or VLAN group name. Selecting a VLAN from the list means that the packet filter
rule filters ingress traffic from that VLAN only. For example, if you select the value
*All VLANS
, the BIG-IP® system applies the packet
filter rule to all traffic coming into the BIG-IP system.Similarly, if you select the
VLAN internal
, the BIG-IP system applies
the packet filter rule to traffic from VLAN internal only. The default value is *All
VLANS
.If you select the name of a VLAN group instead of an individual VLAN, the packet filter rule applies to all VLANs in that VLAN group.
Logging
If you want to generate a log message each time a packet matches a rule, you can enable logging for the packet filter rule. With this configuration, you can then display the Logging screen in the BIG-IP Configuration utility and view events related to packet filtering.
About filter
expression creation
To match incoming packets, the BIG-IP system must use a filter expression. A
filter
expression
specifies the criteria that you want the BIG-IP system to use when filtering
packets. For example, the BIG-IP system can filter packets based on the source or destination IP
address in the header of a packet.Using the BIG-IP Configuration utility, you can create a filter expression
in either of two ways:
- You can write your own expression, using a Filter Expression box.
- You can specify a set of criteria (such as source or destination IP addresses) that you want the BIG-IP system to use when filtering packets. When you use this method, the BIG-IP system builds a filter expression for you.
You can have as many rules as you want, limited only by the available
memory. Of course, the more statements you have, the more challenging it is to understand and
maintain your packet filters.
Enabling packet filtering
Before creating a packet filtering rule, you must enable packet filtering. When you
enable packet filtering, you can specify the MAC addresses, IP addresses, and VLANs that
you want to be exempted from packet filter evaluation.
- On the Main tab, click.The Packet Filters screen opens.
- From thePacket Filteringlist, selectEnabled.
- From theUnhandled Packet Actionlist, selectAccept.
- For theOptionssetting, retain the default value or select the check boxes as needed.
- For theProtocolssetting, retain the default value or clear the check boxes as needed.
- From theMAC Addresseslist, specify a value:ValueDescriptionNoneWhen you select this value, all MAC addresses are exempt from packet filter evaluation.Always AcceptWhen you select this value, you can specify the MAC addresses that are exempt from packet filter evaluation, and the BIG-IP Configuration utility displays additional settings.
- If you directed theMAC Addressessetting to always accept specific MAC addresses, provide the details:
- In theAddfield, type a MAC address and clickAdd.The MAC address appears in theMAC Address Listfield.
- Repeat this step for each MAC address that you want the system to exempt from packet filter evaluation.
- From theIP Addresseslist, specify a value:ValueDescriptionNoneWhen you select this value, all IP addresses are exempt from packet filter evaluation.Always AcceptWhen you select this value, you can specify the IP addresses that are exempt from packet filter evaluation. The BIG-IP Configuration utility displays additional settings.
- If you directed theIP Addressessetting to always accept specific IP addresses, provide the details:
- In theAddfield, type an IP address and clickAdd.The IP address appears in theIP Address Listfield.
- Repeat this step for each IP address that you want the system to exempt from packet filter evaluation.
- From theVLANslist, specify a value:ValueDescriptionNoneWhen you select this value, all VLANs are exempt from packet filter evaluation.Always AcceptWhen you select this value, you can specify the VLANs that are exempt from packet filter evaluation. The BIG-IP Configuration utility displays additional settings.
- If you configured theVLANssetting to always accept specific VLANs, then use theMovebutton to move one or more VLAN names from theAvailablelist to theSelectedlist.
- ClickUpdate.
After you enable packet filtering, the
BIG-IP system filters packets according to the criteria in the
packet filter rule and the values you configured when enabling the packet
filter.
Creating a packet filter rule
When implementing packet filtering, you need to create a packet filter rule.
- On the Main tab, click.The Packet Filters screen opens.
- ClickRules.
- ClickCreate.
- Name the rule.
- From theOrderlist, selectFirst.
- From theActionlist, selectReject.
- From theRate Classlist, select a rate class if one exists on the system.You cannot use this setting if you have bandwidth control policy on the system.
- From theBandwidth Controllerlist, select a bandwidth controller policy if one exists on the system.You cannot use this setting if you have a rate class on the system.
- From theVLAN / Tunnellist, selectinternal.
- From theLogginglist, selectEnabled.
- From theFilter Expression Methodlist, selectEnter Expression Text.
- In theFilter Expressionfield, choose a value:
- Enter Expression Text. For example:not dst port 80 and not dst port 443 and not dst port 53 and not dst port 22 and not dst port 20 and not dst port 21 and not dst hostinternal_self_IP_addressReplaceinternal_self_IP_addresswith the actual self IP address of VLAN internal.
- Build Expression. When you select this value, you can build an expression that causes the BIG-IP system to only accept certain protocols, source hosts and networks, destination hosts and networks, and destination ports.Unlike most IP address configuration settings in the BIG-IP Configuration utility that require the%IDnotation for route domains other than route domain0, theSource Hosts and NetworksandDestination Hosts and Networkssettings for packet filter rules accept IP addresses without the%IDroute domain notation. This is because when you apply the packet filter rule to a VLAN, which belongs to a route domain, you are indirectly specifying which route domain’s traffic to filter.
- ClickFinished.
The packet filter rule is now
available for the BIG-IP system to use.