For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

rjordan's avatar
rjordan
Icon for Nimbostratus rankNimbostratus
Oct 07, 2011

Disabling Reject Unmatched Packets vs Dropping with a Packet Filter

We have several virtual servers that require external auditing/scanning for various compliance certifications. Some of our compliance vendors assume that the open/filtered state from dropped UDP packets on our routers are indeed open because they get a closed state from rejected packets from the LBs. It is a pretty bad assumption, but we have to deal with it anyway.

 

 

I know I can enable the packet filter to explicitly permit the necessary ports and then set Unhandled Packet Action to DISCARD. I'm just worried that I might miss something in my rules and break a bunch of stuff.

 

 

The other alternative seems to be setting TM.RejectUnmatched to False. My concern is that I don't know all the scenarios that RSTs are used for. I guess if a client somehow gets out of sync and sends a SYN that it no longer has a connection for, the LB would not send a RST. It would just allow the client to time out? Is anyone else using this option? It is much easier to implement but I don't know if I should be worried any other side effects.

 

config
design

1 Reply

  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Oct 08, 2011
    not sure if i understand correctly. u don't want bigip to send reset or unreachable if port is not opening (listening), do u?

    if so, is wildcard virtual server with discard action helpful? 

    [root@iris:Active] config  b virtual list
virtual bar {
   snat automap
   destination 172.28.17.33:http
   ip protocol tcp
   rules myrule
   profiles {
      http {}
      tcp {}
   }
}

[root@iris:Active] config  b db|grep -i match
TM.ContinueMatching = false
TM.RejectUnmatched = true

[root@iris:Active] config  tcpdump -nni 0.0 host 172.28.16.50
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on 0.0, link-type EN10MB (Ethernet), capture size 108 bytes
18:02:39.077784 IP 172.28.16.50.44906 > 172.28.17.33.53:  30724+ A? www.google.com. (32)
18:02:39.077824 IP 172.28.17.33 > 172.28.16.50: ICMP 172.28.17.33 udp port 53 unreachable, length 36

[root@iris:Active] config  b virtual wildcard destination any:any mask 0.0.0.0 rule discard_rule
[root@iris:Active] config  b virtual wildcard list
virtual wildcard {
   destination any:any
   mask 0.0.0.0
   rules discard_rule
}
[root@iris:Active] config  b rule discard_rule list
rule discard_rule {
   when CLIENT_ACCEPTED {
        discard
}
}

[root@iris:Active] config  tcpdump -nni 0.0 host 172.28.16.50
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on 0.0, link-type EN10MB (Ethernet), capture size 108 bytes
18:04:12.533123 IP 172.28.16.50.58033 > 172.28.17.33.53:  1454+ A? www.google.com. (32)
18:04:17.533315 IP 172.28.16.50.58033 > 172.28.17.33.53:  1454+ A? www.google.com. (32)
18:04:22.533661 IP 172.28.16.50.58033 > 172.28.17.33.53:  1454+ A? www.google.com. (32)

3 packets captured
3 packets received by filter
0 packets dropped by kernel