Forum Discussion

7 Replies

Sort By
  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    May 18, 2009
    If you want to block ICMP for a virtual server address, you can define a packet filter which drops protocol ICMP for the VIP address:

     

     

    Action: discard

     

    Expression: ( proto ICMP ) and ( dst host 10.42.2.100 )

     

     

    Aaron
  • The_Bhattman's avatar
    The_Bhattman
    Icon for Nimbostratus rankNimbostratus
    May 18, 2009
    Here is an untested iRule way 

     
 when CLIENT_ACCEPTED { 
   if { [IP::protocol] == 1 } { reject } 
 }

    There is also another way which I have done on Linux only, but it applies to all addresses

    As superuser, add the following lines to /etc/sysctl.conf:

    net.ipv4.icmp_echo_ignore_broadcasts = 1

    net.ipv4.icmp_echo_ignore_all = 1

    Then run the following command to cause it take effect immediately

    sysctl -p

    This change will persist through a reboot. But would need to be reset after an upgrade.

    Hope this helps

    CB

  • Vishal_96707's avatar
    Vishal_96707
    Icon for Nimbostratus rankNimbostratus
    May 18, 2009
    Is it safe to use packet filer? Will it have any adverse impact on the performance of the box?
  • The_Bhattman's avatar
    The_Bhattman
    Icon for Nimbostratus rankNimbostratus
    May 18, 2009

    Perhaps you need to log it to the ltm log file. If you apply this it may provide you with the information you need to block it. 

     
  when CLIENT_ACCEPTED {  
  log local0. "The IP Protocol is [IP::protocol]" 
    if { [IP::protocol] == 1 } {  
        reject  
     }  
  }

    CB

  • c_p_i_o_17707's avatar
    c_p_i_o_17707
    Historic F5 Account
    May 18, 2009
    Does "bigpipe virtual address arp disable" at the CLI suite your needs?
  • dennypayne's avatar
    dennypayne
    Icon for Employee rankEmployee
    May 18, 2009
    Aaron's solution of using packet filters is the only one that will work here. A virtual server consists of IP address AND port, which is what iRules run on. ICMP is to the virtual *address*. Different things. And since you can have multiple virtual servers on one IP address, there's no way to affect something done on a virtual address with an iRule that runs on a virtual server.

     

     

    Denny
  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    May 18, 2009
    Disabling ARP would also break all communication with any virtual server on the virtual address (unless the upstream network device had hardcoded arp entries, in which case the setting wouldn't matter).

     

     

    As for performance of packet filters, we have several large enterprise customers who routinely use them without issue. It's still a good idea to have a firewall between LTM and any insecure network.

     

     

    Aaron