net packet-filter
net packet-filter(1) BIG-IP TMSH Manual net packet-filter(1)
NAME
packet-filter - Configures packet filter rules.
MODULE
net
SYNTAX
Configure the packet-filter component within the net module using the syntax in the following sections.
CREATE/MODIFY
create packet-filter [name]
modify packet-filter [name]
options:
action [accept | continue | discard | reject]
app-service [[string] | none]
description [string]
logging [enabled | disabled]
order [integer]
rate-class [name]
rule "[BPF expression]"
vlan [name]
edit packet-filter [ [ [name] | [glob] | [regex] ] ... ]
options:
all-properties
non-default-properties
reset-stats packet-filter
reset-stats packet-filter
[ [ [name] | [glob] | [regex] ] ... ]
DISPLAY
list packet-filter
list packet-filter
[ [ [name] | [glob] | [regex] ] ... ]
show running-config packet-filter
show running-config packet-filter
[ [ [name] | [glob] | [regex] ] ... ]
options:
all-properties
non-default-properties
one-line
show packet-filter
show packet-filter [ [ [name] | [glob] | [regex] ] ... ]
options:
(default | exa | gig | kil | meg | peta | raw | tera | yotta | zetta)
field-fmt
DELETE
delete packet-filter [ all | [name] ]
DESCRIPTION
You can use the packet-filter component to create a layer of security for the traffic management system using packet filter
rules.
The BIG-IP(r) system packet filters are based on the Berkeley Software Design Packet Filter (BPF) architecture. Packet
filter rules are composed of four mandatory attributes and three optional attributes. The mandatory attributes are name,
order, action, and rule. The optional attributes are vlan, logging, and rate-class. The rule attribute you choose defines
the BPF script to match for the rule.
Important: By default, packet filtering is disabled. You must enable packet filtering using the Configuration utility. For
more information, see the TMOS(r) Management Guide for BIG-IP(r) Systems.
EXAMPLES
You can create a set of rules that specify what incoming traffic you want the system to accept and how to accept it. See
the examples following.
Example 1: Block spoofed addresses
This example prevents private IP addresses from being accepted on a public VLAN. This is a way of ensuring that no one
can spoof private IP addresses through the external VLAN of the system. In this example, the system logs when this
happens:
create packet-filter spoof_blocker {
order 5
action discard
vlan external
logging enabled
rule " (src net 172.19.255.0/24) "
}
Example 2: Allow restricted management access
You can provide restricted SSH and HTTPS access to the traffic management system for management purposes, and keep a
log of that access. Note: This not the same management access you can get through the management port/interface
(mgmt); that interface is not affected by any packet filter configuration, and if that is the only way you want to
allow access to your system, this configuration is not necessary.
In the first rule shown below, SSH is allowed access from a single fixed-address administrative workstation, and each
access is logged. In the subsequent rule, browser-based Configuration utility access is allowed from two fixed-address
administrative workstations; however, access is not logged.
create packet-filter management_ssh {
order 10
action accept
logging enabled
rule " (proto TCP) and (src host 172.19.254.10) and
(dst port 22) "
}
create packet-filter management_gui {
order 15
action accept
rule " (proto TCP) and (src host 172.19.254.2 or
src host 172.19.254.10) and (dst port 443) "
}
Example 3: Allow access to all virtual servers
In this final example, you can verify that all of the virtual servers in your configuration are reachable from the
public network. This is critical if you have decided to use a default-deny policy. This example also shows how to rate
shape all traffic to the virtual server IP address with a default rate class (that can be overridden by individual
virtual servers or iRules(r) later).
Note: This example has a single virtual server IP, and it does not matter what port traffic is destined for. If you
want to be more specific, you can specify each service port, as well (for example, HTTP, FTP, telnet).
create packet-filter virtuals {
order 20
action accept
vlan external
rate class root
rule " ( dst host 172.19.254.80 ) "
}
OPTIONS
You can use these options with the packet-filter component to create packet filter rules:
action
Specifies how the system handles a packet that matches the criteria in the packet filter rule. There is no default;
you must specify a value when you create a packet filter rule.
The possible values are:
accept
Indicates that the system accepts the packet, and stops processing additional packet filter rules, if there are
any.
continue
Indicates that the system acknowledges the packet for logging or statistical purposes, but makes no decision on
how to handle the packet. The system continues to evaluate traffic matching a rule with the Continue action,
starting with the next packet filter rule in the list.
discard
Indicates that the system drops the packet, and stops processing additional packet filter rules, if there are
any.
reject
Indicates that the system drops the packet, and also sends a reject packet to the sender, indicating that the
packet was refused.
app-service
Specifies the name of the application service to which the object belongs. The default value is none. Note: If the
strict-updates option is enabled on the application service that owns the object, you cannot modify or delete the
object. Only the application service can modify or delete the object.
description
User defined description.
glob Displays the items that match the glob expression. See help glob for a description of glob expression syntax.
logging
Enables or disables packet filter logging. If you omit this value, no logging is performed.
name Specifies a unique name for the component. This option is required for the commands create, delete, and modify.
order
Specifies a sort order greater than 0 (zero). No two rules may have the same sort order. There is a single, global
list of rules. Each rule in the list has a relative integer order. The system first evaluates the rule with the lowest
order value, and then evaluates all other rules based on ascent of the order value assigned to each rule.
For example, if there are 5 rules, numbered 500, 100, 300, 200, 201; the rule evaluation order is 100, 200, 201, 300,
500.
The system compares each packet to be filtered against the list of rules in sequence, starting with the first.
Evaluation of the rule list stops on the first match that has an action of accept, discard or reject. A match on a
rule with an action of none does not stop further evaluation of the rule list; the system updates the statistics count
and generates a log if the rule indicates it, but otherwise rule processing continues with the next rule in the list.
F5 Networks recommends that you sequence rules for effect and efficiency; generally this means:
-- Assign the lowest order to more specific rules, so that the system will evaluate those rules first.
-- The system evaluates one expression with multiple criteria more efficiently than multiple expressions each with a
single criterion.
This option is required.
rate-class
Specifies the name of a rate class. The value is the name of any existing rate class. If omitted, no rate filter is
applied.
regex
Displays the items that match the regular expression. The regular expression must be preceded by an at sign (@[regular
expression]) to indicate that the identifier is a regular expression. See help regex for a description of regular
expression syntax.
rule Specifies the BPF expression to match. The rule is mandatory, however you can leave it empty. If empty, the packet
filter rule matches all packets.
vlan Specifies the VLAN to which the packet filter rule applies. The value for this option is any VLAN name currently in
existence. If you omit this value, the rule applies to all VLANs. If you do not provide a VLAN name when you create a
packet-filter, the rule applies to all VLANs.
SEE ALSO
create, delete, edit, glob, list, ltm virtual, modify, net packet-filter-trusted, net vlan, net vlan-group, regex, reset-
stats, show, tmsh
COPYRIGHT
No part of this program may be reproduced or transmitted in any form or by any means, electronic or mechanical, including
photocopying, recording, or information storage and retrieval systems, for any purpose other than the purchaser's personal
use, without the express written permission of F5 Networks, Inc.
F5 Networks and BIG-IP (c) Copyright 2008-2010, 2012-2013. All rights reserved.
BIG-IP 2013-10-25 net packet-filter(1)