Disabling Reject Unmatched Packets vs Dropping with a Packet Filter

Question

We have several virtual servers that require external auditing/scanning for various compliance certifications. Some of our compliance vendors assume that the open/filtered state from dropped UDP packets on our routers are indeed open because they get a closed state from rejected packets from the LBs. It is a pretty bad assumption, but we have to deal with it anyway.&nbsp;
&nbsp;I know I can enable the packet filter to explicitly permit the necessary ports and then set Unhandled Packet Action to DISCARD. I'm just worried that I might miss something in my rules and break a bunch of stuff.&nbsp;
&nbsp;The other alternative seems to be setting TM.RejectUnmatched to False. My concern is that I don't know all the scenarios that RSTs are used for. I guess if a client somehow gets out of sync and sends a SYN that it no longer has a connection for, the LB would not send a RST. It would just allow the client to time out? Is anyone else using this option? It is much easier to implement but I don't know if I should be worried any other side effects.&nbsp;

nitass · Answer

not sure if i understand correctly. u don't want bigip to send reset or unreachable if port is not opening (listening), do u? 
  
 if so, is wildcard virtual server with discard action helpful? 
  
 [root@iris:Active] config  b virtual list
virtual bar {
   snat automap
   destination 172.28.17.33:http
   ip protocol tcp
   rules myrule
   profiles {
      http {}
      tcp {}
   }
}

[root@iris:Active] config  b db|grep -i match
TM.ContinueMatching = false
TM.RejectUnmatched = true

[root@iris:Active] config  tcpdump -nni 0.0 host 172.28.16.50
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on 0.0, link-type EN10MB (Ethernet), capture size 108 bytes
18:02:39.077784 IP 172.28.16.50.44906 &gt; 172.28.17.33.53:  30724+ A? www.google.com. (32)
18:02:39.077824 IP 172.28.17.33 &gt; 172.28.16.50: ICMP 172.28.17.33 udp port 53 unreachable, length 36

[root@iris:Active] config  b virtual wildcard destination any:any mask 0.0.0.0 rule discard_rule
[root@iris:Active] config  b virtual wildcard list
virtual wildcard {
   destination any:any
   mask 0.0.0.0
   rules discard_rule
}
[root@iris:Active] config  b rule discard_rule list
rule discard_rule {
   when CLIENT_ACCEPTED {
        discard
}
}

[root@iris:Active] config  tcpdump -nni 0.0 host 172.28.16.50
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on 0.0, link-type EN10MB (Ethernet), capture size 108 bytes
18:04:12.533123 IP 172.28.16.50.58033 &gt; 172.28.17.33.53:  1454+ A? www.google.com. (32)
18:04:17.533315 IP 172.28.16.50.58033 &gt; 172.28.17.33.53:  1454+ A? www.google.com. (32)
18:04:22.533661 IP 172.28.16.50.58033 &gt; 172.28.17.33.53:  1454+ A? www.google.com. (32)

3 packets captured
3 packets received by filter
0 packets dropped by kernel

Forum Discussion

Disabling Reject Unmatched Packets vs Dropping with a Packet Filter

Recent Discussions

Can you set Kerberos AAA server via session variable?

HTML Code injection Not detected by ASM

What will be happen to live and existing connections when failover HA BIG IP active-standby

SSL Offload and remove FQDN

High CPU utilization (100%).

Related Content

Scanning for CVE-2017-9841 Drops Precipitously

Disable Interface if Pool Member Availability Drops Below Threshold

How do I drop traffic on ASM?

Drop reason counters.rx_portd_rdisc

Disabling Weak Ciphers

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS