net packet-filter
net packet-filter(1) BIG-IP TMSH Manual net packet-filter(1)
NAME
packet-filter - Configures packet filter rules.
MODULE
net
SYNTAX
Configure the packet-filter component within the net module using the
syntax in the following sections.
CREATE/MODIFY
create packet-filter [name]
modify packet-filter [name]
options:
action [accept | continue | discard | reject]
app-service [[string] | none]
description [string]
logging [enabled | disabled]
order [integer]
rate-class [name]
rule "[BPF expression]"
vlan [name]
edit packet-filter [ [ [name] | [glob] | [regex] ] ... ]
options:
all-properties
non-default-properties
reset-stats packet-filter
reset-stats packet-filter
[ [ [name] | [glob] | [regex] ] ... ]
DISPLAY
list packet-filter
list packet-filter
[ [ [name] | [glob] | [regex] ] ... ]
show running-config packet-filter
show running-config packet-filter
[ [ [name] | [glob] | [regex] ] ... ]
options:
all-properties
non-default-properties
one-line
show packet-filter
show packet-filter [ [ [name] | [glob] | [regex] ] ... ]
options:
(default | exa | gig | kil | meg | peta | raw | tera | yotta | zetta)
field-fmt
DELETE
delete packet-filter [ all | [name] ]
DESCRIPTION
You can use the packet-filter component to create a layer of security
for the traffic management system using packet filter rules.
The BIG-IP(r) system packet filters are based on the Berkeley Software
Design Packet Filter (BPF) architecture. Packet filter rules are
composed of four mandatory attributes and three optional attributes.
The mandatory attributes are name, order, action, and rule. The
optional attributes are vlan, logging, and rate-class. The rule
attribute you choose defines the BPF script to match for the rule.
Important: By default, packet filtering is disabled. You must enable
packet filtering using the Configuration utility. For more information,
see the TMOS(r) Management Guide for BIG-IP(r) Systems.
EXAMPLES
You can create a set of rules that specify what incoming traffic you
want the system to accept and how to accept it. See the examples
following.
Example 1: Block spoofed addresses
This example prevents private IP addresses from being accepted on
a public VLAN. This is a way of ensuring that no one can spoof
private IP addresses through the external VLAN of the system. In
this example, the system logs when this happens:
create packet-filter spoof_blocker {
order 5
action discard
vlan external
logging enabled
rule " (src net 172.19.255.0/24) "
}
Example 2: Allow restricted management access
You can provide restricted SSH and HTTPS access to the traffic
management system for management purposes, and keep a log of that
access. Note: This not the same management access you can get
through the management port/interface (mgmt); that interface is
not affected by any packet filter configuration, and if that is
the only way you want to allow access to your system, this
configuration is not necessary.
In the first rule shown below, SSH is allowed access from a single
fixed-address administrative workstation, and each access is
logged. In the subsequent rule, browser-based Configuration
utility access is allowed from two fixed-address administrative
workstations; however, access is not logged.
create packet-filter management_ssh {
order 10
action accept
logging enabled
rule " (proto TCP) and (src host 172.19.254.10) and
(dst port 22) "
}
create packet-filter management_gui {
order 15
action accept
rule " (proto TCP) and (src host 172.19.254.2 or
src host 172.19.254.10) and (dst port 443) "
}
Example 3: Allow access to all virtual servers
In this final example, you can verify that all of the virtual
servers in your configuration are reachable from the public
network. This is critical if you have decided to use a default-
deny policy. This example also shows how to rate shape all traffic
to the virtual server IP address with a default rate class (that
can be overridden by individual virtual servers or iRules(r)
later).
Note: This example has a single virtual server IP, and it does not
matter what port traffic is destined for. If you want to be more
specific, you can specify each service port, as well (for example,
HTTP, FTP, telnet).
create packet-filter virtuals {
order 20
action accept
vlan external
rate class root
rule " ( dst host 172.19.254.80 ) "
}
OPTIONS
You can use these options with the packet-filter component to create
packet filter rules:
action
Specifies how the system handles a packet that matches the
criteria in the packet filter rule. There is no default; you must
specify a value when you create a packet filter rule.
The possible values are:
accept
Indicates that the system accepts the packet, and stops
processing additional packet filter rules, if there are any.
continue
Indicates that the system acknowledges the packet for logging
or statistical purposes, but makes no decision on how to
handle the packet. The system continues to evaluate traffic
matching a rule with the Continue action, starting with the
next packet filter rule in the list.
discard
Indicates that the system drops the packet, and stops
processing additional packet filter rules, if there are any.
reject
Indicates that the system drops the packet, and also sends a
reject packet to the sender, indicating that the packet was
refused.
app-service
Specifies the name of the application service to which the object
belongs. The default value is none. Note: If the strict-updates
option is enabled on the application service that owns the object,
you cannot modify or delete the object. Only the application
service can modify or delete the object.
description
User defined description.
glob Displays the items that match the glob expression. See help glob
for a description of glob expression syntax.
logging
Enables or disables packet filter logging. If you omit this value,
no logging is performed.
name Specifies a unique name for the component. This option is required
for the commands create, delete, and modify.
order
Specifies a sort order greater than 0 (zero). No two rules may
have the same sort order. There is a single, global list of rules.
Each rule in the list has a relative integer order. The system
first evaluates the rule with the lowest order value, and then
evaluates all other rules based on ascent of the order value
assigned to each rule.
For example, if there are 5 rules, numbered 500, 100, 300, 200,
201; the rule evaluation order is 100, 200, 201, 300, 500.
The system compares each packet to be filtered against the list of
rules in sequence, starting with the first. Evaluation of the rule
list stops on the first match that has an action of accept,
discard or reject. A match on a rule with an action of none does
not stop further evaluation of the rule list; the system updates
the statistics count and generates a log if the rule indicates it,
but otherwise rule processing continues with the next rule in the
list.
F5 Networks recommends that you sequence rules for effect and
efficiency; generally this means:
-- Assign the lowest order to more specific rules, so that the
system will evaluate those rules first.
-- The system evaluates one expression with multiple criteria more
efficiently than multiple expressions each with a single
criterion.
This option is required.
rate-class
Specifies the name of a rate class. The value is the name of any
existing rate class. If omitted, no rate filter is applied.
regex
Displays the items that match the regular expression. The regular
expression must be preceded by an at sign (@[regular expression])
to indicate that the identifier is a regular expression. See help
regex for a description of regular expression syntax.
rule Specifies the BPF expression to match. The rule is mandatory,
however you can leave it empty. If empty, the packet filter rule
matches all packets.
vlan Specifies the VLAN to which the packet filter rule applies. The
value for this option is any VLAN name currently in existence. If
you omit this value, the rule applies to all VLANs. If you do not
provide a VLAN name when you create a packet-filter, the rule
applies to all VLANs.
SEE ALSO
create, delete, edit, glob, list, ltm virtual, modify, net packet-
filter-trusted, net vlan, net vlan-group, regex, reset-stats, show,
tmsh
COPYRIGHT
No part of this program may be reproduced or transmitted in any form or
by any means, electronic or mechanical, including photocopying,
recording, or information storage and retrieval systems, for any
purpose other than the purchaser's personal use, without the express
written permission of F5 Networks, Inc.
F5 Networks and BIG-IP (c) Copyright 2008-2010, 2012-2013. All rights
reserved.
BIG-IP 2013-10-25 net packet-filter(1)