For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

dogg_dogg_23774's avatar
dogg_dogg_23774
Icon for Nimbostratus rankNimbostratus
May 15, 2006

analyzing tcp or udp port info in ip forwarding mode

Hi,     There is a requirement from customers that they want to forward ip packets only if the packets are icmp or the port number is greater than 1024.   However, when attempting to associat...
application delivery
dev
devops
iRules
John_McInnes_44's avatar
John_McInnes_44
Icon for Nimbostratus rankNimbostratus
Oct 05, 2006
I found this post again through a search and thought that I would try it out.

 

 

Unfortunately citizen_elah's idea doesn't really work 100%.

 

 

Indeed the LTM will let you build the config, and you get forwarding and port inspection in iRules.

 

 

Unfortunately you also get a situation where any connection through the wildcard virtual server is immediately accepted (eg, telnet outward to any IP on any port), then reset if the remote host doesn't have that port open, or the TCP session will continue if the remote host has the port open.

 

 

So it seems that the LTM will-

 

- Accept the wildcard connection from the client (internal side)

 

- Attempt to build the connection to the remote host (external side)

 

then

 

- Reset the connection if the port isn't open on the remote host

 

OR

 

- Proceed normally if the port is open on the remote host

 

 

In summary, it works but its not very elegant.

 

 

What we need is for F5 to fix the forwarding virtual server so that we can do proper TCP or UDP port inspection.

 

 

- John