Forum Discussion

rwendt_291390's avatar
rwendt_291390
Icon for Nimbostratus rankNimbostratus
Sep 22, 2016
Solved

How do i send an ICMP Dest port unreachable on an irule?

I have a ip forwarding virtual server that is supposed to reject packets not in my defined datagroup server_pools destined for a subset of the virtual servers we have. This functionality is working. ...
BIG-IP
iRules
security
  • Vernon_97235's avatar
    Vernon_97235
    Sep 23, 2016

    It appears (on 12.1.1, at least) that the behavior of the 

    reject
    command differs based on whether address translation is enabled. When it is, as I say, an ICMP Port Unreachable message is returned (for UDP traffic). When it is disabled, the behavior you see occurs.

    There is no way to send a specific, explicit ICMP response from an iRule. However, a "Reject" type server will send an ICMP Port Unreachable in any case. So, you could create a "Reject" virtual server that is bound to no VLAN:

    ltm virtual vs-reject {
    destination 0.0.0.0:any
    mask any
    profiles {
        fastL4 { }
    }
    reject
    source 0.0.0.0/0
    translate-address enabled
    translate-port enabled
    vlans-enabled
    vs-index 6
}

    Then, in your iRule, instead of using 

    reject
    , forward rejects to this VS:

    when CLIENT_ACCEPTED {
   if { ![class match [IP::client_addr] equals server_pools] }{
       virtual vs-reject
   }
}

    (Notice that the explicit 

    forward
    branch is unnecessary because the VS type is already Forwarding). For me, this produces an identical result for classic 
    traceroute
    (using UDP segments bound for random high-numbered ports), which you appear to be testing here.

VernonWells's avatar
VernonWells
Icon for Employee rankEmployee
Sep 23, 2016

It appears (on 12.1.1, at least) that the behavior of the 

reject
command differs based on whether address translation is enabled. When it is, as I say, an ICMP Port Unreachable message is returned (for UDP traffic). When it is disabled, the behavior you see occurs.

There is no way to send a specific, explicit ICMP response from an iRule. However, a "Reject" type server will send an ICMP Port Unreachable in any case. So, you could create a "Reject" virtual server that is bound to no VLAN:

ltm virtual vs-reject {
    destination 0.0.0.0:any
    mask any
    profiles {
        fastL4 { }
    }
    reject
    source 0.0.0.0/0
    translate-address enabled
    translate-port enabled
    vlans-enabled
    vs-index 6
}

Then, in your iRule, instead of using 

reject
, forward rejects to this VS:

when CLIENT_ACCEPTED {
   if { ![class match [IP::client_addr] equals server_pools] }{
       virtual vs-reject
   }
}

(Notice that the explicit 

forward
branch is unnecessary because the VS type is already Forwarding). For me, this produces an identical result for classic 
traceroute
(using UDP segments bound for random high-numbered ports), which you appear to be testing here.