security dos udp-portlist
security dos udp-portlist(1) BIG-IP TMSH Manual security dos udp-portlist(1)
NAME
udp-portlist - Configures the DoS udp portlist component within the security dos module using the syntax shown
in the following sections. These DoS udp portlist entries are applied to all udp packets except those going
through the management interface.
MODULE
security dos
SYNTAX
MODIFY
modify udp-portlist dos-udp-portlist
options:
description [string]
list-type [exclude-listed-ports | include-listed-ports]
entries [modify | replace-all-with] {
[entry] {
options:
description [string]
match-direction [both | dst | none | src]
port-number [number]
}
}
DISPLAY
list udp-portlist
DESCRIPTION
You can use the udp-portlist component to configure a DoS UDP portlist of upto eight entries for all UDP
traffic except the management interface. The HSB hardware compares all incoming UDP traffic to the udp-
portlist entries. There are 2 types of behavior, depending upon whether the udp port list is configured as a
white list or as a black list. White list and black list are mutually exclusive properties of a UDP port list.
If the udp port list is configured as a list-type of exclude-listed-ports, and if a match is found on an
incoming packet, then we do not increment the UDP Flood DoS vector. If a match is not found, then the UDP
Flood DoS vector checks are done on those packets.
If the udp port list is configured as a list-type of include-listed-ports, and if a match is found on an
incoming packet, then we increment the UDP Flood DoS vector. If a match is not found, then the UDP Flood DoS
vector checks are not done on the packets.
Either destination port or source port or both can be specified in a udp-portlist entry.
EXAMPLES
modify udp-portlist dos-udp-portlist description "bad ports" list-type include-listed-ports Modifies the udp-
portlist dos-udp-portlist to a blacklist.
modify udp-portlist dos-udp-portlist list-type exclude-listed-ports Modifies the udp-portlist dos-udp-portlist
to a white-list.
modify udp-portlist dos-udp-portlist description "bad ports" entries modify { entry1 { match-direction src
port-number 161 } } Modifies an entry. The new entry is for source UDP port 161. It matches any UDP packet
whose source port is 161.
modify udp-portlist dos-udp-portlist entries modify { 161 { match-direction both } }
Modifies the entry for destination UDP port 161 to source and destination port 161. It matches any UDP packet
whose destination or source port is 161.
security dos udp-portlist dos-udp-portlist {
entries {
entry1 {
match-direction both
port-number snmp
}
entry2 { }
entry3 { }
entry4 { }
}
white-list
}
Displays the current list of DoS UDP portlist entries.
OPTIONS
description
Your description for the DoS udp-portlist.
list-type
Sets the list type to be either exclude-listed-ports or include-listed-ports
include-listed-ports
Sets the property of the dos-udp-portlist list to include-listed-ports (Blacklist).
exclude-listed-ports
Sets the property of the dos-udp-portlist list to exclude-listed-ports (Whitelist).
entries
Modifies a udp-portlist entry.
modify
Modifies the existing entry that you specify next, in curly braces ({}). After the entry name,
enter the new configuration (port mode and port number) settings for the entry inside a nested set
of curly braces.
replace-all-with
Replaces the current set of udp-portlist entries with the entry(s) that you specify next, in curly
braces ({}).
Enter the name of a entry to be modified, then enter an open curly brace ({), one or more of the
following options, and a closed curly brace (}).
description
Your description for the current entry.
match-direction
Set the mode of matching (source, destination or both).
port-number
Set the port number for matching.
SEE ALSO
edit, list, modify, security, security dos, tmsh
COPYRIGHT
No part of this program may be reproduced or transmitted in any form or by any means, electronic or
mechanical, including photocopying, recording, or information storage and retrieval systems, for any purpose
other than the purchaser's personal use, without the express written permission of F5 Networks, Inc.
F5 Networks and BIG-IP (c) Copyright 2008, 2012-2016. All rights reserved.
BIG-IP 2016-03-14 security dos udp-portlist(1)