For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

dogg_dogg_23774's avatar
dogg_dogg_23774
Icon for Nimbostratus rankNimbostratus
May 15, 2006

analyzing tcp or udp port info in ip forwarding mode

Hi,     There is a requirement from customers that they want to forward ip packets only if the packets are icmp or the port number is greater than 1024.   However, when attempting to associat...
application delivery
dev
devops
iRules
JRahm's avatar
JRahm
Icon for Admin rankAdmin
Jun 07, 2006
Set up one network virtual server (0.0.0.0/0) with protocol TCP, binding only to your internal vlan:


virtual tcp_test-std_vip {
   destination any:any
   ip protocol tcp
   vlans internal enable
   rule tcp_forward-rule
}

And another for UDP:


virtual udp_test-std_vip {
   destination any:any
   ip protocol udp
   vlans internal enable
   rule udp_forward-rule
}

Now setup a network forwarding virtual server (0.0.0.0/0) with protocol 1 (ICMP), binding only to your internal vlan:


virtual icmp_test-fwd_vip {
   destination any:any
   ip forward
   ip protocol icmp
   vlans internal enable
}

And of course, the rules for the TCP/UDP forwarding:


rule tcp_forward-rule {
  when CLIENT_ACCEPTED {
    if { [TCP::client_port] > 1024 } {
      forward
    } else { discard }
  }
}
rule udp_forward-rule {
  when CLIENT_ACCEPTED {
    if { [UDP::client_port] > 1024 } {
      forward
    } else { discard }
   }
}

Standard disclaimer...Untested!