For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Hello_World_146's avatar
Hello_World_146
Icon for Nimbostratus rankNimbostratus
Jun 02, 2014

ICMP Filter

Hi Team,

 

I would like to set an ICMP filter in a CGNAT so that pings coming from internal clients to the internet (e.g. google.com) can go through normally, but trace routes do not show the interfaces of the CGNATs yet show the rest of the route. I've managed to set the filter so that pings with the destination IP of any of the interfaces of the CGNAT get discarded; however, if I block ICMP pings in general, other services get affected and network traffic increases. While setting up the filter, I set the source address to include the whole internal client network. I just need the traceroute hops to show every hop but not the CGNAT interface. It is currently running version 11.2.

 

application delivery
LTM
performance
security

5 Replies

  • Cory_50405's avatar
    Cory_50405
    Icon for Noctilucent rankNoctilucent
    Jun 02, 2014

    I would think in order to not show the CGNAT hops, you would want to block ICMP from your CGNATs back to the internal client network. Traceroute depends on network devices to send back ICMP time exceeded messages to the client once the TTL reaches zero. So if you prevent the ICMP messages (type 11) from your CGNAT back to your internal network, then that should achieve what you wish.

     

  • Hello_World_146's avatar
    Hello_World_146
    Icon for Nimbostratus rankNimbostratus
    Jun 03, 2014

    Hi Cory, thanks for the reply. In this case, would I have to build my own expression or can I use the GUI? If using the GUI, then I would also have to specify the destination address to be that of the internal client network. If I enter my own expression, then how would you specify the ICMP messages (specifically type 11) to be blocked?

     

  • Cory_50405's avatar
    Cory_50405
    Icon for Noctilucent rankNoctilucent
    Jun 03, 2014

    Unsure if you'll be able to do this on your BIG-IP. It can certainly be done on a firewall or some other filtering device between your BIG-IP and your internal user network. The syntax for a Cisco firewall would be something like this if put on an external facing interface:

     

    deny icmp any any time-exceeded

     

    This should block just ICMP type 11 messages. And you could refine your ACL to only include your internal network to be more thorough.

     

  • Hello_World_146's avatar
    Hello_World_146
    Icon for Nimbostratus rankNimbostratus
    Jun 03, 2014

    The problem with that is that the other team is not too cooperative. As such, I'm left on my own and I have to find a way to do it on my CGNAT.