net packet-filter
net packet-filter(1) BIG-IP TMSH Manual net packet-filter(1)
NAME
packet-filter - Configures packet filter rules.
MODULE
net
SYNTAX
Configure the packet-filter component within the net module using the syntax in the following sections.
CREATE/MODIFY
create packet-filter [name]
modify packet-filter [name]
options:
action [accept | continue | discard | reject]
app-service [[string] | none]
description [string]
logging [enabled | disabled]
order [integer]
rate-class [name]
rule "[BPF expression]"
vlan [name]
edit packet-filter [ [ [name] | [glob] | [regex] ] ... ]
options:
all-properties
non-default-properties
reset-stats packet-filter
reset-stats packet-filter
[ [ [name] | [glob] | [regex] ] ... ]
DISPLAY
list packet-filter
list packet-filter
[ [ [name] | [glob] | [regex] ] ... ]
show running-config packet-filter
show running-config packet-filter
[ [ [name] | [glob] | [regex] ] ... ]
options:
all-properties
non-default-properties
one-line
show packet-filter
show packet-filter [ [ [name] | [glob] | [regex] ] ... ]
options:
(default | exa | gig | kil | meg | peta | raw | tera | yotta | zetta)
field-fmt
DELETE
delete packet-filter [ all | [name] ]
DESCRIPTION
You can use the packet-filter component to create a layer of security for the traffic management system using
packet filter rules.
The BIG-IP(r) system packet filters are based on the Berkeley Software Design Packet Filter (BPF)
architecture. Packet filter rules are composed of four mandatory attributes and three optional attributes. The
mandatory attributes are name, order, action, and rule. The optional attributes are vlan, logging, and rate-
class. The rule attribute you choose defines the BPF script to match for the rule.
Important: By default, packet filtering is disabled. You must enable packet filtering using the Configuration
utility. For more information, see the TMOS(r) Management Guide for BIG-IP(r) Systems.
EXAMPLES
You can create a set of rules that specify what incoming traffic you want the system to accept and how to
accept it. See the examples following.
Example 1: Block spoofed addresses
This example prevents private IP addresses from being accepted on a public VLAN. This is a way of
ensuring that no one can spoof private IP addresses through the external VLAN of the system. In this
example, the system logs when this happens:
create packet-filter spoof_blocker {
order 5
action discard
vlan external
logging enabled
rule " (src net 172.19.255.0/24) "
}
Example 2: Allow restricted management access
You can provide restricted SSH and HTTPS access to the traffic management system for management purposes,
and keep a log of that access. Note: This not the same management access you can get through the
management port/interface (mgmt); that interface is not affected by any packet filter configuration, and
if that is the only way you want to allow access to your system, this configuration is not necessary.
In the first rule shown below, SSH is allowed access from a single fixed-address administrative
workstation, and each access is logged. In the subsequent rule, browser-based Configuration utility
access is allowed from two fixed-address administrative workstations; however, access is not logged.
create packet-filter management_ssh {
order 10
action accept
logging enabled
rule " (proto TCP) and (src host 172.19.254.10) and
(dst port 22) "
}
create packet-filter management_gui {
order 15
action accept
rule " (proto TCP) and (src host 172.19.254.2 or
src host 172.19.254.10) and (dst port 443) "
}
Example 3: Allow access to all virtual servers
In this final example, you can verify that all of the virtual servers in your configuration are reachable
from the public network. This is critical if you have decided to use a default-deny policy. This example
also shows how to rate shape all traffic to the virtual server IP address with a default rate class (that
can be overridden by individual virtual servers or iRules(r) later).
Note: This example has a single virtual server IP, and it does not matter what port traffic is destined
for. If you want to be more specific, you can specify each service port, as well (for example, HTTP, FTP,
telnet).
create packet-filter virtuals {
order 20
action accept
vlan external
rate class root
rule " ( dst host 172.19.254.80 ) "
}
OPTIONS
You can use these options with the packet-filter component to create packet filter rules:
action
Specifies how the system handles a packet that matches the criteria in the packet filter rule. There is
no default; you must specify a value when you create a packet filter rule.
The possible values are:
accept
Indicates that the system accepts the packet, and stops processing additional packet filter rules,
if there are any.
continue
Indicates that the system acknowledges the packet for logging or statistical purposes, but makes no
decision on how to handle the packet. The system continues to evaluate traffic matching a rule with
the Continue action, starting with the next packet filter rule in the list.
discard
Indicates that the system drops the packet, and stops processing additional packet filter rules, if
there are any.
reject
Indicates that the system drops the packet, and also sends a reject packet to the sender, indicating
that the packet was refused.
app-service
Specifies the name of the application service to which the object belongs. The default value is none.
Note: If the strict-updates option is enabled on the application service that owns the object, you cannot
modify or delete the object. Only the application service can modify or delete the object.
description
User defined description.
glob Displays the items that match the glob expression. See help glob for a description of glob expression
syntax.
logging
Enables or disables packet filter logging. If you omit this value, no logging is performed.
name Specifies a unique name for the component. This option is required for the commands create, delete, and
modify.
order
Specifies a sort order greater than 0 (zero). No two rules may have the same sort order. There is a
single, global list of rules. Each rule in the list has a relative integer order. The system first
evaluates the rule with the lowest order value, and then evaluates all other rules based on ascent of the
order value assigned to each rule.
For example, if there are 5 rules, numbered 500, 100, 300, 200, 201; the rule evaluation order is 100,
200, 201, 300, 500.
The system compares each packet to be filtered against the list of rules in sequence, starting with the
first. Evaluation of the rule list stops on the first match that has an action of accept, discard or
reject. A match on a rule with an action of none does not stop further evaluation of the rule list; the
system updates the statistics count and generates a log if the rule indicates it, but otherwise rule
processing continues with the next rule in the list.
F5 Networks recommends that you sequence rules for effect and efficiency; generally this means:
-- Assign the lowest order to more specific rules, so that the system will evaluate those rules first.
-- The system evaluates one expression with multiple criteria more efficiently than multiple expressions
each with a single criterion.
This option is required.
rate-class
Specifies the name of a rate class. The value is the name of any existing rate class. If omitted, no rate
filter is applied.
regex
Displays the items that match the regular expression. The regular expression must be preceded by an at
sign (@[regular expression]) to indicate that the identifier is a regular expression. See help regex for
a description of regular expression syntax.
rule Specifies the BPF expression to match. The rule is mandatory, however you can leave it empty. If empty,
the packet filter rule matches all packets.
vlan Specifies the VLAN to which the packet filter rule applies. The value for this option is any VLAN name
currently in existence. If you omit this value, the rule applies to all VLANs. If you do not provide a
VLAN name when you create a packet-filter, the rule applies to all VLANs.
SEE ALSO
create, delete, edit, glob, list, ltm virtual, modify, net packet-filter-trusted, net vlan, net vlan-group,
regex, reset-stats, show, tmsh
COPYRIGHT
No part of this program may be reproduced or transmitted in any form or by any means, electronic or
mechanical, including photocopying, recording, or information storage and retrieval systems, for any purpose
other than the purchaser's personal use, without the express written permission of F5 Networks, Inc.
F5 Networks and BIG-IP (c) Copyright 2008-2010, 2012-2013. All rights reserved.
BIG-IP 2013-10-25 net packet-filter(1)