Manual Chapter : Packet Filters

Applies To:

Show Versions Show Versions

BIG-IP DNS

  • 15.0.1, 15.0.0, 14.1.2, 14.1.0

BIG-IP PEM

  • 15.0.1, 15.0.0, 14.1.2, 14.1.0

BIG-IP Analytics

  • 15.0.1, 15.0.0, 14.1.2, 14.1.0

BIG-IP AFM

  • 15.0.1, 15.0.0, 14.1.2, 14.1.0

BIG-IP ASM

  • 15.0.1, 15.0.0, 14.1.2, 14.1.0

BIG-IP AAM

  • 15.0.1, 15.0.0, 14.1.2, 14.1.0

BIG-IP APM

  • 15.0.1, 15.0.0, 14.1.2, 14.1.0

BIG-IP LTM

  • 15.0.1, 15.0.0, 14.1.2, 14.1.0
Manual Chapter

Packet Filters

Introduction to packet filtering

Packet filters enhance network security by specifying whether a BIG-IP® system interface should accept or reject certain packets based on criteria that you specify. Packet filters enforce an access policy on incoming traffic. They apply to incoming traffic only.
You implement packet filtering by creating packet filter rules, using the BIG-IP Configuration utility. The primary purpose of a packet filter rule is to define the criteria that you want the BIG-IP system to use when filtering packets. Examples of criteria that you can specify in a packet filter rule are:
  • The source IP address of a packet
  • The destination IP address of a packet
  • The destination port of a packet
You specify the criteria for applying packet filter rules within an expression. When creating a packet filter rule, you can instruct the BIG-IP system to build an expression for you, in which case you need only choose the criteria from predefined lists, or you can write your own expression text, using the syntax of the
tcpdump
utility. For more information on the
tcpdump
utility, see the online man page for the
tcpdump
command.
Unlike most IP address configuration settings in the BIG-IP Configuration utility that require the
%ID
notation for route domains other than route domain
0
, the
Source Hosts and Networks
and
Destination Hosts and Networks
settings for packet filter rules accept IP addresses without the
%ID
route domain notation. This is because when you apply the packet filter rule to a VLAN, which belongs to a route domain, you are indirectly specifying which route domain’s traffic to filter.
Packet filter rules are unrelated to iRules®
You can also configure global packet filtering that applies to all packet filter rules that you create.

Global settings

Global settings for packet filtering are divided into two categories: Properties and Exemptions. The BIG-IP® system applies global settings to all packets coming into the BIG-IP system.
Note that one of the global settings, Packet Filtering, enables packet filtering. When you disable this setting, no packet filter settings or packet filter rules operate, and the BIG-IP system allows all traffic by default.

Global properties

You can configure three specific global properties for packet filtering.

Packet filter enabling

Before you can implement packet filtering on the BIG-IP® system, you must enable the packet filter feature. You do this by changing the
Packet Filtering
setting to
Enabled
. The default setting for packet filtering is
Disabled
.

Control of unhandled packets

Sometimes a packet does not match any of the criteria that you have specified in the packet filter rules that you have created. For this reason, you must configure the
Unhandled Packet Action
property, which specifies the action that the BIG-IP system should take when the packet does not match packet filter rule criteria.
Possible values for this setting are
Accept
,
Discard
, and
Reject
. The default value is
Accept
.
Changing the default value of the Unhandled Packet Action property can produce unwanted consequences. Before changing this value to
Discard
or
Reject
, make sure that any traffic that you want the BIG-IP system to accept meets the criteria specified in your packet filter rules.

Other options

Using the Options property, you can configure two other options:
Filter established connections
When you enable (check) this option, the BIG-IP system filters all ingress packets, even if the packets are part of an existing connection. The default setting is disabled (unchecked). Note that checking this option does not typically enhance security, and can impact system performance.
Send ICMP error on packet reject
When you enable (check) this option, the system sends an ICMP type 3 (destination unreachable), code 13 (administratively prohibited) packet when an ingress packet is rejected. When you disable (clear) this option, the BIG-IP system sends an ICMP reject packet that is protocol-dependent. The default setting for this option is disabled (cleared).

Global exemptions

There are a number of exemptions you can set for packet filtering. When filtering packets, the BIG-IP® system always applies these exemptions, effectively overriding certain criteria you might have previously set within an individual packet filter rule.

VLANs

Using the
VLANs
setting, you can configure the BIG-IP system so that traffic from one or more specified VLANs is exempt from packet filtering. In this case, the system does not attempt to match packets from the specified VLAN or VLANs to any packet filter rule. Instead, the BIG-IP system always accepts traffic from the specified VLAN or VLANs.
For example, if you specify VLAN internal, then no incoming packets from VLAN internal are subject to packet filtering, even if a packet matches the criteria of a packet filter rule.
Possible values are:
Always Accept
When you select this value, a VLAN List setting appears. You can then specify one or more VLANs from which traffic should be exempt from packet filtering.
None
When you select this value, traffic from all VLANs is subject to packet filtering, according to existing packet filter rule criteria. This is the default value.

Protocols

With the
Protocols
setting, you can specify whether ARP and certain ICMP messages are exempt from packet filtering. The individual settings are:
Always accept ARP
When you enable (check) this setting, the system automatically accepts all ARP packets and therefore does not subject them to packet filtering. The default setting is enabled (checked).
Always accept important ICMP
When you enable (check) this setting, the system automatically accepts the following ICMP packet types for IPv4, and therefore does not subject them to packet filtering:
  • UNREACH
  • SOURCEQUENCH
  • REDIRECT
  • TIMEXCEED
The default setting is enabled.

MAC addresses

You can use the
MAC Addresses
setting to exempt traffic from certain MAC addresses from packet filtering. Possible values are:
Always Accept
When you select this value, a MAC Address List setting appears. You can then specify one or more MAC addresses from which traffic should be exempt from packet filtering.
None
When you select this value, traffic from all MAC addresses is subject to packet filtering, according to existing packet filter rule criteria. This is the default value.

IP addresses

You can use the
IP Addresses
setting to exempt traffic from certain IP addresses from packet filtering. Possible values are:
Always Accept
When you select this value, an IP Address List setting appears. You can then specify one or more IP addresses from which traffic should be exempt from packet filtering.
None
When you select this value, traffic from all IP addresses is subject to packet filtering, according to existing packet filter rule criteria. This is the default value.

VLANs

Using the
VLANs
setting, you can configure the BIG-IP® system so that traffic from one or more specified VLANs is exempt from packet filtering. In this case, the system does not attempt to match packets from the specified VLAN or VLANs to any packet filter rule. Instead, the BIG-IP system always accepts traffic from the specified VLAN or VLANs.
For example, if you specify VLAN internal, then no incoming packets from VLAN internal are subject to packet filtering, even if a packet matches the criteria of a packet filter rule.
Possible values are:
Always Accept
When you select this value, a
VLAN List
setting appears. You can then specify one or more VLANs from which traffic should be exempt from packet filtering.
None
When you select this value, traffic from all VLANs is subject to packet filtering, according to existing packet filter rule criteria. This is the default value.

Order of packet filter rules

You use the
Order
setting to specify the order in which you want the BIG-IP® system to apply existing packet filter rules. This setting is required. Possible values for this setting are:
First
Select this value if you want this packet filter rule to be the first rule that the BIG-IP system applies.
Last
Select this value if you want this packet filter rule to be the last rule that the BIG-IP system applies.
After
Select this value, and then select a packet filter rule from the list, if you want the system to apply this packet filter after the packet filter that you select from the list. Note that this setting is most useful when you have more than three packet filter rules configured.

About the action setting in packet filter rules

When a packet matches the criteria that you have specified in a packet filter rule, the BIG-IP® system can take a specific action. You define this action using the
Action
setting. You can choose one of these actions:
Accept
Select
Accept
if you want the system to accept the packet, and stop processing additional packet filter rules, if any exist. This is the default setting.
Discard
Select
Discard
if you want the system to drop the packet, and stop processing additional packet filter rules, if any exist.
Reject
Select
Reject
if you want the system to drop the packet, and also send a rejection packet to the sender, indicating that the packet was refused. Note that the behavior of the system when you select the
Reject
action depends on how you configured the general packet filter Options property, Send ICMP Error on Packet Reject.
Continue
Select
Continue
if you simply want the system to acknowledge the packet for logging or statistical purposes. Setting the
Action
value to
Continue
does not affect the way that the BIG-IP system handles the packet; the system continues to evaluate traffic matching a rule, starting with the next packet filter rule listed.

Rate class assignment

Using the
Rate Class
setting, you can assign a rate class to traffic that matches the criteria defined in a packet filter rule. Note that this setting applies only when you have the rate shaping feature enabled.
The default value for this setting is None. If you previously created rate classes using the rate shaping feature, you can choose one of those rate classes from the
Rate Class
list.

One or more VLANs

You use the
Apply to VLAN
setting to display a list of VLANs and then select a VLAN or VLAN group name. Selecting a VLAN from the list means that the packet filter rule filters ingress traffic from that VLAN only. For example, if you select the value
*All VLANS
, the BIG-IP® system applies the packet filter rule to all traffic coming into the BIG-IP system.
Similarly, if you select the
VLAN internal
, the BIG-IP system applies the packet filter rule to traffic from VLAN internal only. The default value is
*All VLANS
.
If you select the name of a VLAN group instead of an individual VLAN, the packet filter rule applies to all VLANs in that VLAN group.

Logging

If you want to generate a log message each time a packet matches a rule, you can enable logging for the packet filter rule. With this configuration, you can then display the Logging screen in the BIG-IP Configuration utility and view events related to packet filtering.

About filter expression creation

To match incoming packets, the BIG-IP system must use a filter expression. A
filter expression
specifies the criteria that you want the BIG-IP system to use when filtering packets. For example, the BIG-IP system can filter packets based on the source or destination IP address in the header of a packet.
Using the BIG-IP Configuration utility, you can create a filter expression in either of two ways:
  • You can write your own expression, using a Filter Expression box.
  • You can specify a set of criteria (such as source or destination IP addresses) that you want the BIG-IP system to use when filtering packets. When you use this method, the BIG-IP system builds a filter expression for you.
You can have as many rules as you want, limited only by the available memory. Of course, the more statements you have, the more challenging it is to understand and maintain your packet filters.

Enabling packet filtering

Before creating a packet filtering rule, you must enable packet filtering. When you enable packet filtering, you can specify the MAC addresses, IP addresses, and VLANs that you want to be exempted from packet filter evaluation.
  1. On the Main tab, click
    Network
    Packet Filters
    .
    The Packet Filters screen opens.
  2. From the
    Packet Filtering
    list, select
    Enabled
    .
  3. From the
    Unhandled Packet Action
    list, select
    Accept
    .
  4. For the
    Options
    setting, retain the default value or select the check boxes as needed.
  5. For the
    Protocols
    setting, retain the default value or clear the check boxes as needed.
  6. From the
    MAC Addresses
    list, specify a value:
    Value
    Description
    None
    When you select this value, all MAC addresses are exempt from packet filter evaluation.
    Always Accept
    When you select this value, you can specify the MAC addresses that are exempt from packet filter evaluation, and the BIG-IP Configuration utility displays additional settings.
  7. If you directed the
    MAC Addresses
    setting to always accept specific MAC addresses, provide the details:
    1. In the
      Add
      field, type a MAC address and click
      Add
      .
      The MAC address appears in the
      MAC Address List
      field.
    2. Repeat this step for each MAC address that you want the system to exempt from packet filter evaluation.
  8. From the
    IP Addresses
    list, specify a value:
    Value
    Description
    None
    When you select this value, all IP addresses are exempt from packet filter evaluation.
    Always Accept
    When you select this value, you can specify the IP addresses that are exempt from packet filter evaluation. The BIG-IP Configuration utility displays additional settings.
  9. If you directed the
    IP Addresses
    setting to always accept specific IP addresses, provide the details:
    1. In the
      Add
      field, type an IP address and click
      Add
      .
      The IP address appears in the
      IP Address List
      field.
    2. Repeat this step for each IP address that you want the system to exempt from packet filter evaluation.
  10. From the
    VLANs
    list, specify a value:
    Value
    Description
    None
    When you select this value, all VLANs are exempt from packet filter evaluation.
    Always Accept
    When you select this value, you can specify the VLANs that are exempt from packet filter evaluation. The BIG-IP Configuration utility displays additional settings.
  11. If you configured the
    VLANs
    setting to always accept specific VLANs, then use the
    Move
    button to move one or more VLAN names from the
    Available
    list to the
    Selected
    list.
  12. Click
    Update
    .
After you enable packet filtering, the BIG-IP system filters packets according to the criteria in the packet filter rule and the values you configured when enabling the packet filter.

Creating a packet filter rule

When implementing packet filtering, you need to create a packet filter rule.
  1. On the Main tab, click
    Network
    Packet Filters
    .
    The Packet Filters screen opens.
  2. Click
    Rules
    .
  3. Click
    Create
    .
  4. Name the rule.
  5. From the
    Order
    list, select
    First
    .
  6. From the
    Action
    list, select
    Reject
    .
  7. From the
    Rate Class
    list, select a rate class if one exists on the system.
    You cannot use this setting if you have bandwidth control policy on the system.
  8. From the
    Bandwidth Controller
    list, select a bandwidth controller policy if one exists on the system.
    You cannot use this setting if you have a rate class on the system.
  9. From the
    VLAN / Tunnel
    list, select
    internal
    .
  10. From the
    Logging
    list, select
    Enabled
    .
  11. From the
    Filter Expression Method
    list, select
    Enter Expression Text
    .
  12. In the
    Filter Expression
    field, choose a value:
    • Enter Expression Text
      . For example:
      not dst port 80 and not dst port 443 and not dst port 53 and not dst port 22 and not dst port 20 and not dst port 21 and not dst host
      internal_self_IP_address
      Replace
      internal_self_IP_address
      with the actual self IP address of VLAN internal.
    • Build Expression
      . When you select this value, you can build an expression that causes the BIG-IP system to only accept certain protocols, source hosts and networks, destination hosts and networks, and destination ports.
      Unlike most IP address configuration settings in the BIG-IP Configuration utility that require the
      %ID
      notation for route domains other than route domain
      0
      , the
      Source Hosts and Networks
      and
      Destination Hosts and Networks
      settings for packet filter rules accept IP addresses without the
      %ID
      route domain notation. This is because when you apply the packet filter rule to a VLAN, which belongs to a route domain, you are indirectly specifying which route domain’s traffic to filter.
  13. Click
    Finished
    .
The packet filter rule is now available for the BIG-IP system to use.