net packet-filter-trustedΒΆ

net packet-filter-trusted(1)			  BIG-IP TMSH Manual			 net packet-filter-trusted(1)

NAME
       packet-filter-trusted - Modifies or displays trusted allow lists for packet filters.

MODULE
       net

SYNTAX
       Configure the packet-filter-trusted component within the net module using the syntax in the following
       sections.

   MODIFY
	modify packet-filter-trusted
	  options:
	    description [string]
	    ip-addresses none
	    ip-addresses
	      [add | delete | replace-all-with] {
		[ip address ... ]
	    }
	    mac-addresses none
	    mac-addresses
	      [ add | delete | replace-all-with] ] {
		[MAC address ...]
	    }
	    vlans none
	    vlans
	      [add | delete | replace-all-with] ] {
		[vlan name ... ]
	    }

	edit packet-filter-trusted

   DISPLAY
	list packet-filter-trusted
	show running-config packet-filter-trusted
	  options:
	    all-properties
	    non-default-properties
	    one-line

DESCRIPTION
       Use the packet-filter-trusted component to create a layer of security for the traffic management system using
       trusted allow lists.

       Trusted allow lists are lists of IP addresses, MAC addresses, and VLANs that are exempt from packet filter
       rules.

       Important: By default, packet filtering is disabled. You must enable packet filtering using the Configuration
       utility. For more information, see the TMOS(r) Management Guide for BIG-IP(r) Systems.

EXAMPLE
       Creates a trusted allow list that allows anything listed to bypass the packet filter.

       In the following example, you have an administrative laptop that you want to have unrestricted access to the
       traffic management system. This is a laptop, and therefore it might have a different IP address from time to
       time. One way to solve the problem is to add a trusted MAC address. This trusted allow list example shows the
       laptop MAC address as 00:02:3F:3E:2F:FE. Now the laptop can access the traffic management system regardless of
       what address it boots with or to which VLAN it is connected, as long as it is on the same physical segment as
       the traffic management system.

       Also in this example, the traffic management system is configured for basic firewalling of the
       private/internal network. This example shows a way to filter incoming traffic and allow outgoing traffic to be
       unrestricted. To do this, you add trusted VLANs that represent all traffic that originated on the internal
       network. Another way to do this is to use trusted IP addresses instead, for example, 192.168.26.0/24.

	modify packet-filter-trusted {
	  vlans add { internal1 internal2 }
	  mac-addresses add { 00:02:3F:3E:2F:FE }
	}

OPTIONS
       description
	    User defined description.

       ip-addresses
	    Specifies a list of source IP addresses. Any traffic matching a source IP address in the list is
	    automatically allowed. This simplifies configuration of the packet filter to allow trusted internal
	    traffic to be passed from VLAN to VLAN without a filter rule, including out to the Internet. Processing
	    of traffic by this option occurs before rule list evaluation, making it impossible to override this
	    option and mask out (block) certain types of traffic with a packet filter rule. This option is empty by
	    default.

       mac-addresses
	    Specifies a list of MAC addresses. The system allows any traffic matching a MAC address in the source
	    address list. This simplifies configuration of the packet filter to allow trusted internal traffic to be
	    passed from VLAN to VLAN without a filter rule, including out to the Internet. Processing of traffic by
	    this option occurs before rule list evaluation, making it impossible to override this option and mask out
	    (block) certain types of traffic with a packet filter rule. This option is empty by default.

       vlans
	    Specifies a list of ingress VLANs. Any traffic received on a VLAN that is on the ingress VLAN list is
	    automatically allowed. This simplifies configuration of the packet filter to allow trusted internal
	    traffic to be passed from VLAN to VLAN without a filter rule, including out to the Internet. Processing
	    of traffic by this option occurs before rule list evaluation, making it impossible to override this
	    option and mask out (block) certain types of traffic with a packet filter rule. This option is empty by
	    default.

SEE ALSO
       edit, list, ltm virtual, modify, net packet-filter, net vlan, net vlan-group, show, tmsh

COPYRIGHT
       No part of this program may be reproduced or transmitted in any form or by any means, electronic or
       mechanical, including photocopying, recording, or information storage and retrieval systems, for any purpose
       other than the purchaser's personal use, without the express written permission of F5 Networks, Inc.

       F5 Networks and BIG-IP (c) Copyright 2008-2010, 2012-2013, 2016. All rights reserved.

BIG-IP						      2016-03-14			 net packet-filter-trusted(1)