Forwarding IP Question

Question

I am going through some rules in our BigIP and I found one that is particularly disturbing (I think). We have an IP forwarding virtual server with both source and destination set to 0.0.0.0. This is allowing access to SSH, WebGUI, etc. through our public self IP address. I believe this was done to allow for management traffic to pass to servers that sit behind the IP which use it as their default gateway (ICMP, RDP, etc.) as well as facilitate the connection for those servers to access the Internet. There is no way this is best practice and I need to know the best way to remediate this asap. I think the desired configuration would be to configure a SNAT for the subnet that sits behind the BigIP, and then configure another VS that would enable management traffic to pass between internal subnets. I just need some clarification.&nbsp;
Thanks in advance.&nbsp;

what_lies_bene1 · Answer

You've a multitude of options. I don't see S/NAT as a security measure at all I'm afraid.&nbsp;
*Leave the VS as is and use a packet filter (or AFM) to restrict inbound access&nbsp;
*Leave the VS as is and use an iRule to restrict inbound access&nbsp;
*My preference: Leave the VS for the outbound access, disable it on the external VLAN. For inbound management create port specific VSs AND associated packet filters to restrict access.&nbsp;
*Better yet, use a secure access method (VPN, PPTP whatever) that doesn't go through the F5 and apply static routes as necessary on the servers.&nbsp;

nitass · Answer

Now my question is, if I change this, does this impact both ingress and egress traffic? If I change this to allow none, will that deny traffic inbound to this address but still maintain the ability to NAT from for these servers that route through the BigIP? Will it impact any of the other virtual servers that are connecting through this external interface?

port lockdown setting affects traffic destined to selfip (i.e. it does not affect virtual server and snat list traffic).

port lockdown setting affects traffic destined to selfip (i.e. it does not affect virtual server and snat list traffic).&nbsp;

nitass_89166 · Answer

Now my question is, if I change this, does this impact both ingress and egress traffic? If I change this to allow none, will that deny traffic inbound to this address but still maintain the ability to NAT from for these servers that route through the BigIP? Will it impact any of the other virtual servers that are connecting through this external interface?

port lockdown setting affects traffic destined to selfip (i.e. it does not affect virtual server and snat list traffic).

port lockdown setting affects traffic destined to selfip (i.e. it does not affect virtual server and snat list traffic).&nbsp;

greg_130338 · Answer

Gotcha. So best practice for an external interface self-IP that is not inline with a firewall would be to create a custom list I would imagine? The Allow Default still allows https and ssh, allowing management of the BigIP from outside our network. Specific ports I should be looking to allow here?

greg_130338 · Answer

Gotcha. So best practice for an external interface self-IP that is not inline with a firewall would be to create a custom list I would imagine? The Allow Default still allows https and ssh, allowing management of the BigIP from outside our network. Specific ports I should be looking to allow here?

Forum Discussion

Forwarding IP Question

Recent Discussions

show system - attribute values

Upgrade F5 BIGIP

iRule: Failure to activate payload

APM integrate with Azure Intune

how to whitelist new source IP on F5 web UI access

Related Content

BIg-IP DNS Listener question

F5 Forwarding

ntp question

What does the BIG-IP LTM do when it can not insert an X-Forwarded-For

f5 as a forward proxy

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS