security firewall rule-list
security firewall rule-list(1) BIG-IP TMSH Manual security firewall rule-list(1)
NAME
rule-list - Configures a rule-list of network firewall rules. You can reuse a rule list in multiple firewalls,
such as the firewalls for self IPs, routing domains, and the global firewall.
MODULE
security firewall
SYNTAX
CREATE/MODIFY
create rule-list [name]
modify rule-list [[name] | all]
options:
description [string]
rules [add | delete | modify | replace-all-with] {
[ [name] ] {
options:
action [accept | accept-decisively | drop | reject]
app-service [name]
description [string]
source {
address-lists [add | default | delete | replace-all-with] {
[address list names...]
}
address-lists none
addresses [add | delete | modify | replace-all-with] {
[ [ip address] | [ip_address/prefixlen] ]
}
addresses none
fqdns [add | delete | replace-all-with] {
[ fully qualified domain names]
}
fqdns none
geo [add | default | delete | replace-all-with] {
[ [country_code [state state_name] ] ]
}
geo none
ipi-category [add | default | delete | replace-all-with] {
[ IP-Intelligence category names... ]
}
ipi-category none
port-lists [add | default | delete | replace-all-with] {
[port list names...]
}
port-lists none
ports [add | default | delete | replace-all-with] {
[ [port] | [port1-port2] ]
}
ports none
vlans [add | default | delete | replace-all-with] {
[vlan names...]
}
vlans none
}
destination {
address-lists [add | default | delete | replace-all-with] {
[address list names...]
}
address-lists none
addresses [add | delete | modify | replace-all-with] {
[ [ip address] | [ip address/prefixlen] ]
}
addresses none
fqdns [add | delete | replace-all-with] {
[ fully qualified domain names]
}
fqdns none
geo [add | default | delete | replace-all-with] {
[ [country_code [state state_name] ] ]
}
geo none
ipi-category [add | default | delete | replace-all-with] {
[ IP-Intelligence category names... ]
}
ipi-category none
port-lists [add | default | delete | replace-all-with] {
[port list names...]
}
port-lists none
ports [add | delete | modify | replace-all-with] {
[ [port] | [port1-port2] ]
}
ports none
}
icmp [add | delete | modify | replace-all-with] {
[ [icmp_type] | icmp_type:icmp_code ] {
description [string]
}
}
icmp none
ip-protocol [protocol name]
irule [irule name]
irule-sample-rate [integer]
log [no | yes]
place-after [first | last | [rule name]]
place-before [first | last | [rule name]]
rule-list [rule list name]
schedule [schedule name]
status [disabled | enabled | scheduled]
service-policy [service policy name]
uuid [ | none | auto-generate]
virtual-server [virtual server name]
ips-profile [IPS profile name]
classification-policy [classification policy name]
}
}
rules none
edit rule-list [[name] | all]
options:
all-properties
non-default-properties
DISPLAY
list rule-list [[name] | all | [property]]
show running-config rule-list [[name] | all | [property]]
DESCRIPTION
You can use the rule-list component to configure network firewall rules to be applied to multiple firewalls.
The network software compares IP packets to the criteria specified in these rules. If a packet matches the
criteria then the system takes the action specified by the rule. If a packet does not match any rule in the
list, the software accepts the packet or passes it to the next rule or rule-list (for example, the system
compares the packet to net self-ip rules if the packet is destined for a network associated with a self-ip
that has firewall rules defined).
MATCHING AN IP PACKET
You can use this TMSH component to match against any or all of the following properties of an IP packet:
source address
source fqdn
source geo
source port
the packet's source VLAN
destination address
destination fqdn
destination geo
destination port
the higher-level protocol in the packet's payload
If you match against more than one of these items, a packet must pass all of your tests to successfully match.
For example, if you match against a source subnet and several destination ports, a packet must originate from
the given subnet and must also have one of the specified destination ports.
RULE ORDER
The network software evaluates firewall rules in the order that you specify. You can use the list management-
ip-rules command to see the current rule order. As you add or modify rules in this component, you can use the
place-before rule-name or place-after rule-name option to choose the rule's place in the sequence.
Rule order can determine whether or not a packet is dropped. Consider the following rules:
rule_a, matches source addresses against 172.16.0.0 and ACCEPTS all packets that match.
rule_d, matches source addresses against 172.16.39.0 and DROPS all packets that match.
Also consider a packet from a host at 172.16.39.55. If rule_a appears before rule_d in the rule list, the
packet's source address matches rule_a first and the software accepts it. The software never reaches rule_d
for comparison. If rule_d appears first instead, the packet's source address now matches rule_d; in this case,
the software drops the packet.
EXAMPLES
create rule-list block_bad_mgmt description "ports to be blocked on our management interfaces" rules replace-
all-with { reject_telnet { ip-protocol tcp destination { ports add { telnet } } action reject } }
Creates a new rule list called block_bad_mgmt. It matches and rejects any TCP packet whose destination port is
telnet. The description indicates that the rule is intended for the management-IP firewall.
modify rule-list block_bad_mgmt rules add { reject_http { ip-protocol tcp destination { ports add { http } }
action reject place-after last } }
Modifies the above rule list by blocking HTTP traffic, too.
list rule-list block_bad_mgmt
security firewall rule-list block_bad_mgmt {
description "ports to be blocked on our management interfaces"
rules {
reject_telnet {
action reject
destination {
ports {
telnet { }
}
}
ip-protocol tcp
}
reject_http {
action reject
destination {
ports {
http { }
}
}
ip-protocol tcp
}
}
}
Shows the above rule list, with both rules.
modify rule-list rules add { reject-internal-net { place-before first action reject source { addresses
replace-all-with { 172.27.0.0/16 } } } }
Creates a rule entry at the beginning of the list that rejects traffic from the 172.27.0.0 network.
create security firewall rule-list rl1 description "Geo Locations to be blocked" rules add { r1 { source { geo
add { US } } place-after first action drop } }
Creates a new rule list "rl1", which matches and rejects any packet with a US source. The description explains
the purpose of the rule list.
modify security firewall rule-list rl2 rules add { r2 { source { geo add { CA } } place-before last action
drop } }
security firewall rule-list rl2 {
description "Geo Locations to be blocked"
rules {
r2 {
action drop
source {
geo {
CA {
state none
}
}
}
}
r1 {
action drop
source {
geo {
US {
state none
}
}
}
}
}
}
Shows the above rule list, with both rules.
create security firewall rule-list rl1 description "domains to be blocked" rules add { r1 { destination {
fqdns add { xyz.com} } place-after first action drop } }
Creates a new rule list "rl1", which matches and rejects any packet with destination IP addresses in domain
'xyz.com'. The description explains the purpose of the rule list.
modify security firewall rule-list rl1 rules modify { r1 { destination { fqdns add { abc.com } } } }
Modifies the above rule list by blocking destination IP addresses in domain 'abc.com' too.
list rule-list rl1
security firewall rule-list rl1 {
description "domains to be blocked"
rules {
r1 {
action drop
destination {
fqdns {
abc.com { }
xyz.com { }
}
}
}
}
}
Shows the above rule list, with the single rule r1.
OPTIONS
app-service
Associates the rule list with a particular Application Service. An Application Service is a major
component of an iApp, an advanced configuration tool for creating and maintaining similar applications on
multiple servers. The asm module has components for working with iApps.
description
Your description for this list of firewall rules.
rules
Adds, deletes, or replaces a firewall rule.
add Creates a new rule, which you specify next with a unique string in curly braces ({}). Use the place-
before or place-after option inside the curly braces to determine the order of the rule. If this is
the first rule, use the replace-all-with option instead of add.
delete
Deletes the rule that you specify next, in curly braces ({}).
modify
Modifies the existing rule that you specify next, in curly braces ({}). After the rule name, enter
the new configuration settings for the rule inside a nested set of curly braces.
none Empties the list of rules. An empty rule list implicitly accepts all packets. The security software
skips this context and assesses packets against the next layer of firewall rules, if there is one
(such as those defined for net self-ip, net route-domain or ltm virtual)
replace-all-with
Replaces the current list of rules with the rule(s) that you specify next, in curly braces ({}). Use
this option for the first rule in the list.
Enter the name of a rule to be added or modified, then enter an open curly brace ({), one or more of the
following options, and a closed curly brace (}).
action
Specifies the action that the system takes when a rule is matched.
accept
Specifies that a matching packet should be accepted. The security software stops comparing a
matching packet to any other rules in the list. The software continues comparing the packet to
rules in the next appropriate context (such as net self-ip, net route-domain or ltm virtual).
accept-decisively
Specifies that a matching packet should be accepted and should not be compared to any other
firewall rules in any other context.
drop Specifies that a matching packet should be silently dropped. The security software sends
nothing back to the packet source. The security software does not compare the packet to any
other firewall rules in any other context.
reject
Specifies that a matching packet should be dropped. For TCP-based protocols, the security
software sends a TCP reset (with the RST flag raised) back to the source. For other protocols,
reject is equivalent to drop.
description
Your description for the current rule.
destination
Matches against each packet's destination IP and/or destination port. The next options choose the
matching criteria.
address-lists
Specifies a list of IP-address lists (see "security firewall address-list") to compare against
the packet's destination address.
This list uses the same add, delete, none, and replace-all-with commands described above for
rules, as well as a default command.
addresses
Specifies a list of IP addresses and/or subnets to compare against the packet's destination
address.
The format for an IPv4 address is a.b.c.d[/prefix]. The general format for an IPv6 address is
a:b:c:d:e:f:g:h[/prefix]; you can shorten this by eliminating leading zeros from each field
(for example, you can shorten "2001:0db7:3f4a:09dd:0a90:ff00:0042:8329" to
"2001:db7:3f4a:9dd:a90:ff00:42:8329"), and/or by removing the longest contiguous field of zeros
(for example, you can shorten "2001:0:0:0:c34a:0:0:678" to "2001::c34a:0:0:678"). TMSH accepts
any valid text representation of IPv6 addresses, as defined in RFC 2373 (see
).
To edit this list, use the same add, delete, modify, none, and replace-all-with commands
described above for rules.
fqdns
Specifies a list of fully qualified domain names to compare against packet's destination IP
address domain.
To edit this list, use the same add, delete, none, and replace-all-with commands described
above for rules.
geo Specifies a list of Geo Locations to compare a packet's source or destination Geo Location.
The format for a Geo Location is a 2 character string for the country code and a string for the
state.
To edit this list, use the same add, delete, modify, none, and replace-all-with options
described above for rules.
ipi-category
Specifies a list of IP-Intelligence category names that the packet will be compared against.
port-lists
Specifies a collection of port lists (see "security firewall port-list") to compare against the
packet's destination port. If you use this option to specify a port list, a packet only matches
if it's destination port matches a port on these lists.
If you combine address lists and port lists in the same rule, a packet must have a matching
port and a matching address to fully match the rule.
This list uses the same add, delete, none, and replace-all-with commands described above for
rules, as well as a default command.
ports
Specifies a list of ports and port ranges to compare against the packet's destination port.
To edit this list, use the same add, delete, modify, none, and replace-all-with commands
described above for rules.
icmp Specifies a list of ICMP types and codes to compare against the packet. You must set the ip-protocol
option to "icmp" for this option to function. If you use this option, the current rule only matches
ICMP packets that have the ICMP properties you specify here. You can add, delete, or modify (that
is, change the description of) any entry in the list, or replace-all-with a new set of entries that
you specify between curly braces ({}).
Use the standard integer identifiers to specify an ICMP type. For example: 3 is destination
unreachable and 3:1 is destination unreachable with a code of host unreachable. The official list of
ICMP types and codes is here: .
ip-protocol
Specifies the IP protocol to compare against the packet. This could be a layer-3 protocol (such as
ipv4 or ipv6), or a higher-level protocol like ospf or rdp. If you specify this option, a packet
only matches if it uses the chosen protocol. Press the key for a full list of valid protocols.
irule
Specifies the name of the iRule that will be triggered when a packet matches this firewall rule. The
firewall rule match raises a FLOW_INIT iRule event.
irule-sample-rate
Specifies the rate at which an iRule specified by irule option will be triggered when a packet
matches this firewall rule. The rate is an integer value in the range 0-65535 and specifies how many
packets must match this firewall rule before the iRule is triggered. The default value is 1 and
causes the iRule to be triggered for every packet that matches this firewall rule. A value of 0
disables iRule triggering.
log Specifies whether the security software should write a log entry for all packets that match this
rule. You must also enable network filter logging in the "security log profile" component for this
option to have any effect. Note that the security software always increments the statistics counter
when a packet matches a rule, no matter how you set this option.
place-after [first | last | rule-name]
Specifies that a new rule should be placed after the first rule, the last rule, or the rule-name you
specify. If you are adding individual rules (as opposed to specifying replace-all-with), then you
must use place-before or place-after to specify the rule's position in the list.
place-before [first | last | rule-name]
Specifies that a new rule should be placed before the first rule, the last rule, or the rule-name
you specify. If you are adding individual rules (as opposed to specifying replace-all-with), then
you must use place-before or place-after to specify the rule's position in the list.
rule-list
Specifies a full rule list instead of a customized rule that you might define with the other
options. If you use this option, then only the schedule and status options are valid; the tmsh
software rejects any other options that you attempt to use with rule-list.
schedule
Specifies a schedule for the rule. See "security firewall schedule". If you omit this option, the
rule or rule list is enabled all the time.
If the rule refers to a rule-list, the rule-list is enabled according to the schedule. When the rule
list is enabled, the security software then honors any schedules defined within the rule-list.
source
Matches against each packet's source IP, source port, and/or source VLAN. The next options choose
the matching criteria.
address-lists
Specifies a list of address lists (see "security firewall address-list") to compare against the
packet's source address.
This list uses the same add, delete, none, and replace-all-with commands described above for
rules, as well as a default command.
addresses
Specifies a list of IP addresses and networks to compare against the packet's source address.
The format for an IPv4 address is a.b.c.d. The format for an IPv6 address is a:b:c:d:e:f:g:h.
To edit this list, use the same add, delete, modify, none, and replace-all-with commands
described above for rules.
fqdns
Specifies a list of fully qualified domain names to compare against packet's source IP address
domain.
To edit this list, use the same add, delete, none, and replace-all-with commands described
above for rules.
geo Specifies a list of Geo Locations to compare a packet's source or destination Geo Location.
The format for a Geo Location is a 2 alphabet string for the country code and a string for the
state.
To edit this list, use the same add, delete, modify, none, and replace-all-with options
described above for rules.
ipi-category
Specifies a list of IP-Intelligence category names that the packet will be compared against.
port-lists
Specifies a collection of port lists (see "security firewall port-list") to compare against the
packet's source port. If you use this option to specify a port list, a packet only matches if
its source port matches a port on these lists.
This list uses the same add, delete, none, and replace-all-with commands described above for
rules, as well as a default command.
ports
Specifies a list of ports and port ranges to compare against the packet's source port.
To edit this list, use the same add, delete, modify, none, and replace-all-with commands
described above for rules.
vlans
Specifies a list of VLANs, VLAN groups, and tunnels to compare against the packet.
This list uses the same add, delete, none, and replace-all-with commands described above for
rules, as well as a default command.
status
Specifies whether the rule is enabled, disabled or scheduled. A rule that is enabled is always
checked. A rule that is disabled is never checked. A rule that is scheduled is checked according to
the corresponding schedule configuration. A rule that is scheduled must have an associated schedule
configuration.
service-policy
Specifies the service policy configuration to use. (see "net service-policy"). The service policy
can be used to set specific policy based configurations like flow timers, which applies to the flows
that matches the rule.
uuid Specifies how this rule UUID is assigned: assign a explict uuid based on RFC-4122, empty UUID (none
value), or an auto-generated uuid by system (auto-generated value) based on system wide
mode:[uuid-default-autogenerate mode] when creating a rule.
virtual-server
Specifies the virtual server name that will be used for further traffic processing. Option is valid
only for global and/or route domain contexts.
ips-profile
Specifies IPS profile name used for signature matching and/or protocol compliance checks for flows
matching the rule.
classification-policy
Specifies the Classification Policy name that will be enforced.
SEE ALSO
edit, list, modify, security firewall address-list, security firewall port-list, security firewall global-
rules, security log profile, security firewall schedule, net service-policy, tmsh
COPYRIGHT
No part of this program may be reproduced or transmitted in any form or by any means, electronic or
mechanical, including photocopying, recording, or information storage and retrieval systems, for any purpose
other than the purchaser's personal use, without the express written permission of F5 Networks, Inc.
F5 Networks and BIG-IP (c) Copyright 2008, 2012-2016. All rights reserved.
BIG-IP 2018-09-17 security firewall rule-list(1)