net packet-filter-trustedΒΆ

net packet-filter-trusted(1)  BIG-IP TMSH Manual  net packet-filter-trusted(1)



NAME
       packet-filter-trusted - Modifies or displays trusted allow lists for
       packet filters.

MODULE
       net

SYNTAX
       Configure the packet-filter-trusted component within the net module
       using the syntax in the following sections.

   MODIFY
	modify packet-filter-trusted
	  options:
	    description [string]
	    ip-addresses none
	    ip-addresses
	      [add | delete | replace-all-with] {
		[ip address ... ]
	    }
	    mac-addresses none
	    mac-addresses
	      [ add | delete | replace-all-with] ] {
		[MAC address ...]
	    }
	    vlans none
	    vlans
	      [add | delete | replace-all-with] ] {
		[vlan name ... ]
	    }

	edit packet-filter-trusted

   DISPLAY
	list packet-filter-trusted
	show running-config packet-filter-trusted
	  options:
	    all-properties
	    non-default-properties
	    one-line

DESCRIPTION
       Use the packet-filter-trusted component to create a layer of security
       for the traffic management system using trusted allow lists.

       Trusted allow lists are lists of IP addresses, MAC addresses, and VLANs
       that are exempt from packet filter rules.

       Important: By default, packet filtering is disabled. You must enable
       packet filtering using the Configuration utility. For more information,
       see the TMOS(r) Management Guide for BIG-IP(r) Systems.

EXAMPLE
       Creates a trusted allow list that allows anything listed to bypass the
       packet filter.

       In the following example, you have an administrative laptop that you
       want to have unrestricted access to the traffic management system. This
       is a laptop, and therefore it might have a different IP address from
       time to time. One way to solve the problem is to add a trusted MAC
       address. This trusted allow list example shows the laptop MAC address
       as 00:02:3F:3E:2F:FE. Now the laptop can access the traffic management
       system regardless of what address it boots with or to which VLAN it is
       connected, as long as it is on the same physical segment as the traffic
       management system.

       Also in this example, the traffic management system is configured for
       basic firewalling of the private/internal network. This example shows a
       way to filter incoming traffic and allow outgoing traffic to be
       unrestricted. To do this, you add trusted VLANs that represent all
       traffic that originated on the internal network. Another way to do this
       is to use trusted IP addresses instead, for example, 192.168.26.0/24.

	modify packet-filter-trusted {
	  vlans add { internal1 internal2 }
	  mac-addresses add { 00:02:3F:3E:2F:FE }
	}

OPTIONS
       description
	    User defined description.

       ip-addresses
	    Specifies a list of source IP addresses. Any traffic matching a
	    source IP address in the list is automatically allowed. This
	    simplifies configuration of the packet filter to allow trusted
	    internal traffic to be passed from VLAN to VLAN without a filter
	    rule, including out to the Internet. Processing of traffic by this
	    option occurs before rule list evaluation, making it impossible to
	    override this option and mask out (block) certain types of traffic
	    with a packet filter rule. This option is empty by default.

       mac-addresses
	    Specifies a list of MAC addresses. The system allows any traffic
	    matching a MAC address in the source address list. This simplifies
	    configuration of the packet filter to allow trusted internal
	    traffic to be passed from VLAN to VLAN without a filter rule,
	    including out to the Internet. Processing of traffic by this
	    option occurs before rule list evaluation, making it impossible to
	    override this option and mask out (block) certain types of traffic
	    with a packet filter rule. This option is empty by default.

       vlans
	    Specifies a list of ingress VLANs. Any traffic received on a VLAN
	    that is on the ingress VLAN list is automatically allowed. This
	    simplifies configuration of the packet filter to allow trusted
	    internal traffic to be passed from VLAN to VLAN without a filter
	    rule, including out to the Internet. Processing of traffic by this
	    option occurs before rule list evaluation, making it impossible to
	    override this option and mask out (block) certain types of traffic
	    with a packet filter rule. This option is empty by default.

SEE ALSO
       edit, list, ltm virtual, modify, net packet-filter, net vlan, net vlan-
       group, show, tmsh

COPYRIGHT
       No part of this program may be reproduced or transmitted in any form or
       by any means, electronic or mechanical, including photocopying,
       recording, or information storage and retrieval systems, for any
       purpose other than the purchaser's personal use, without the express
       written permission of F5 Networks, Inc.

       F5 Networks and BIG-IP (c) Copyright 2008-2010, 2012-2013, 2016. All
       rights reserved.



BIG-IP				  2016-03-14	  net packet-filter-trusted(1)