Forum Discussion

rwendt_291390's avatar
rwendt_291390
Icon for Nimbostratus rankNimbostratus
Sep 22, 2016

How do i send an ICMP Dest port unreachable on an irule?

I have a ip forwarding virtual server that is supposed to reject packets not in my defined datagroup server_pools destined for a subset of the virtual servers we have. This functionality is working. ...
BIG-IP
iRules
security
  • Vernon_97235's avatar
    Vernon_97235
    Sep 24, 2016

    It appears (on 12.1.1, at least) that the behavior of the 

    reject
    command differs based on whether address translation is enabled. When it is, as I say, an ICMP Port Unreachable message is returned (for UDP traffic). When it is disabled, the behavior you see occurs.

    There is no way to send a specific, explicit ICMP response from an iRule. However, a "Reject" type server will send an ICMP Port Unreachable in any case. So, you could create a "Reject" virtual server that is bound to no VLAN:

    ltm virtual vs-reject {
    destination 0.0.0.0:any
    mask any
    profiles {
        fastL4 { }
    }
    reject
    source 0.0.0.0/0
    translate-address enabled
    translate-port enabled
    vlans-enabled
    vs-index 6
}

    Then, in your iRule, instead of using 

    reject
    , forward rejects to this VS:

    when CLIENT_ACCEPTED {
   if { ![class match [IP::client_addr] equals server_pools] }{
       virtual vs-reject
   }
}

    (Notice that the explicit 

    forward
    branch is unnecessary because the VS type is already Forwarding). For me, this produces an identical result for classic 
    traceroute
    (using UDP segments bound for random high-numbered ports), which you appear to be testing here.

VernonWells's avatar
VernonWells
Icon for Employee rankEmployee

reject
for UDP traffic should send an ICMP Port Unreachable message. Moreover, if the defined virtual server is not a wildcard port, then you should get a TTL Port Unreachable because 
traceroute
chooses a random high-numbered port, and there is no listener. If the defined virtual server is a wildcard port, this should still work because of the 
reject
. I just validated those two cases.

Having said that, there are many things that could be happening here. Would you be willing to provide the Virtual Server definition? I'd also recommend performing a 

tcpdump
on the BIG-IP to see the message flow. Something like:

tcpdump -nni 0.0 host  and '(udp or icmp)'

where is the IP address of the client sourcing the 

traceroute
.

rwendt_291390's avatar
rwendt_291390
Icon for Nimbostratus rankNimbostratus
Sep 26, 2016

Ok so this was actually a lot easier a solution that i had thought previously. I created a reject vs only enabled on the frontend vlan and it works great. No iRule, no data group needed. 😄

ltm virtual anycast-protect {
    destination 10.0.1.0:any
    mask 255.255.255.0
    profiles {
        fastL4 { }
    }
    reject
    source 0.0.0.0/0
    vlans {
        VIP_Net
    }
    vlans-enabled
    vs-index 98