How do I block (packet filtering?) all external IPs?

Question

We have a BIG-IP (F5) unit set up at a backup site. We want to lock this unit down so that no public access is allowed while not in use, and any external scans won't even know there is anything there until it is opened. So far, all the Virtual IPs get disabled, but we want to prevent anything from getting even that far. I suppose high-level packet filtering is what I want, blocking everything but management and internal IPs for the developers to work on the internal systems and within BIG-IP, and allowing access to reopen everything once this backup site becomes active. What is the simplest/best approach to accomplish this?

jeff_maddox_394 · Answer

The default behavior for disabled virtual servers is to send a RST to a SYN. If you are looking for a passive drop behavior, then a packet filter rule with the action set to "discard" would do the trick.

aj11 · Answer

Thanks.  I created a Packet Filter rule to allow an internal subnet (First) and tried to create another rule (Last) to drop (Action: "discard") everything else where the instructions in the doc linked below say to "Enter Expression Text" with nothing in the text field, which apparently means everything (?), and I got the following error:&nbsp;
01070087:3: Packet filter rule '/Common/TestRule1': rule matches all traffic and action is not "continue"&nbsp;
https://support.f5.com/content/kb/en-us/products/big-ip_ltm/manuals/product/bigip-datacenter-firewall-config-11-1-0/_jcr_content/pdfAttach/download/file.res/BIG-IP%C2%AE_Data_Center_Firewall_Configuration_Guide.pdf&nbsp;
Why should the rule be set to "continue" rather than "discard"?&nbsp;

aj11 · Answer

So I got it to accept 2 rules I put in where I had to add an actual expression to "Enter Expression Text" field, but I have not yet enabled packet filtering.  The instructions on that page I linked basically just says to select that checkbox and that's it.&nbsp;
What I have so far, Jeff, and please correct me if this is wrong, but I have the following:
Rule 1 (First): Allow ("Accept")the management networks (ie: ( src net 192.168.1.0/24 ) and ( dst net 0.0.0.0/0 )) on all vlans.
Rule 2 (Last): Deny ("Discard") everything else (ie: ( src net 0.0.0.0/0) and ( dst net 0.0.0.0/0 )) on all vlans.&nbsp;
Will this accomplish what I'm looking for?&nbsp;

jeff_maddox_394 · Answer

Anything that does not match the first rule should hit the second rule, which is basically the same as unhandled traffic.  You can verify in the var/log/pktfilter file.
Make sure you have console access when you test.  There maybe variables that I am not aware of in your set up.&nbsp;

jeff_maddox_394 · Answer

Easiest config would be to configure your accept rule, and on the Enable screen, set unhanded traffic to discard.  That is the configuration I have tested.&nbsp;

Forum Discussion

How do I block (packet filtering?) all external IPs?

Recent Discussions

Oracle JDBC SSL Termination failing on F5

APM for banner and cert

An Irule for Client Ssl Profile that Allows Unassigned TLS Extension Values (17516)

How to Renew F5 Device Certificate

How to export a list of paired external service providers from APM?

Related Content

Decrypting BIG-IP Packet Captures without iRules

Decrypting BIG-IP Packet Captures Automatically

UDP TCP Packet Duplication

Automating Packet Captures on BIG-IP

CSV to Address External Datagroup File

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS