Forum Discussion
rjordan
Nimbostratus
NimbostratusDisabling Reject Unmatched Packets vs Dropping with a Packet Filter
We have several virtual servers that require external auditing/scanning for various compliance certifications. Some of our compliance vendors assume that the open/filtered state from dropped UDP packe...
nitass
Employee
Employeenot sure if i understand correctly. u don't want bigip to send reset or unreachable if port is not opening (listening), do u?
if so, is wildcard virtual server with discard action helpful?
[root@iris:Active] config b virtual list
virtual bar {
snat automap
destination 172.28.17.33:http
ip protocol tcp
rules myrule
profiles {
http {}
tcp {}
}
}
[root@iris:Active] config b db|grep -i match
TM.ContinueMatching = false
TM.RejectUnmatched = true
[root@iris:Active] config tcpdump -nni 0.0 host 172.28.16.50
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on 0.0, link-type EN10MB (Ethernet), capture size 108 bytes
18:02:39.077784 IP 172.28.16.50.44906 > 172.28.17.33.53: 30724+ A? www.google.com. (32)
18:02:39.077824 IP 172.28.17.33 > 172.28.16.50: ICMP 172.28.17.33 udp port 53 unreachable, length 36
[root@iris:Active] config b virtual wildcard destination any:any mask 0.0.0.0 rule discard_rule
[root@iris:Active] config b virtual wildcard list
virtual wildcard {
destination any:any
mask 0.0.0.0
rules discard_rule
}
[root@iris:Active] config b rule discard_rule list
rule discard_rule {
when CLIENT_ACCEPTED {
discard
}
}
[root@iris:Active] config tcpdump -nni 0.0 host 172.28.16.50
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on 0.0, link-type EN10MB (Ethernet), capture size 108 bytes
18:04:12.533123 IP 172.28.16.50.58033 > 172.28.17.33.53: 1454+ A? www.google.com. (32)
18:04:17.533315 IP 172.28.16.50.58033 > 172.28.17.33.53: 1454+ A? www.google.com. (32)
18:04:22.533661 IP 172.28.16.50.58033 > 172.28.17.33.53: 1454+ A? www.google.com. (32)
3 packets captured
3 packets received by filter
0 packets dropped by kernel
