security dos udp-portlist
security dos udp-portlist(1) BIG-IP TMSH Manual security dos udp-portlist(1)
NAME
udp-portlist - Configures the DoS udp portlist component within the
security dos module using the syntax shown in the following sections.
These DoS udp portlist entries are applied to all udp packets except
those going through the management interface.
MODULE
security dos
SYNTAX
MODIFY
modify udp-portlist dos-udp-portlist
options:
description [string]
list-type [exclude-listed-ports | include-listed-ports]
entries [modify | replace-all-with] {
[entry] {
options:
description [string]
match-direction [both | dst | none | src]
port-number [number]
}
}
DISPLAY
list udp-portlist
DESCRIPTION
You can use the udp-portlist component to configure a DoS UDP portlist
of upto eight entries for all UDP traffic except the management
interface. The HSB hardware compares all incoming UDP traffic to the
udp-portlist entries. There are 2 types of behavior, depending upon
whether the udp port list is configured as a white list or as a black
list. White list and black list are mutually exclusive properties of a
UDP port list.
If the udp port list is configured as a list-type of exclude-listed-
ports, and if a match is found on an incoming packet, then we do not
increment the UDP Flood DoS vector. If a match is not found, then the
UDP Flood DoS vector checks are done on those packets.
If the udp port list is configured as a list-type of include-listed-
ports, and if a match is found on an incoming packet, then we increment
the UDP Flood DoS vector. If a match is not found, then the UDP Flood
DoS vector checks are not done on the packets.
Either destination port or source port or both can be specified in a
udp-portlist entry.
EXAMPLES
modify udp-portlist dos-udp-portlist description "bad ports" list-type
include-listed-ports Modifies the udp-portlist dos-udp-portlist to a
blacklist.
modify udp-portlist dos-udp-portlist list-type exclude-listed-ports
Modifies the udp-portlist dos-udp-portlist to a white-list.
modify udp-portlist dos-udp-portlist description "bad ports" entries
modify { entry1 { match-direction src port-number 161 } } Modifies an
entry. The new entry is for source UDP port 161. It matches any UDP
packet whose source port is 161.
modify udp-portlist dos-udp-portlist entries modify { 161 { match-
direction both } }
Modifies the entry for destination UDP port 161 to source and
destination port 161. It matches any UDP packet whose destination or
source port is 161.
security dos udp-portlist dos-udp-portlist {
entries {
entry1 {
match-direction both
port-number snmp
}
entry2 { }
entry3 { }
entry4 { }
}
white-list
}
Displays the current list of DoS UDP portlist entries.
OPTIONS
description
Your description for the DoS udp-portlist.
list-type
Sets the list type to be either exclude-listed-ports or include-
listed-ports
include-listed-ports
Sets the property of the dos-udp-portlist list to include-
listed-ports (Blacklist).
exclude-listed-ports
Sets the property of the dos-udp-portlist list to exclude-
listed-ports (Whitelist).
entries
Modifies a udp-portlist entry.
modify
Modifies the existing entry that you specify next, in curly
braces ({}). After the entry name, enter the new
configuration (port mode and port number) settings for the
entry inside a nested set of curly braces.
replace-all-with
Replaces the current set of udp-portlist entries with the
entry(s) that you specify next, in curly braces ({}).
Enter the name of a entry to be modified, then enter an open
curly brace ({), one or more of the following options, and a
closed curly brace (}).
description
Your description for the current entry.
match-direction
Set the mode of matching (source, destination or both).
port-number
Set the port number for matching.
SEE ALSO
edit, list, modify, security, security dos, tmsh
COPYRIGHT
No part of this program may be reproduced or transmitted in any form or
by any means, electronic or mechanical, including photocopying,
recording, or information storage and retrieval systems, for any
purpose other than the purchaser's personal use, without the express
written permission of F5 Networks, Inc.
F5 Networks and BIG-IP (c) Copyright 2008, 2012-2016. All rights
reserved.
BIG-IP 2016-03-14 security dos udp-portlist(1)