Forum Discussion
chuck_16066
Nimbostratus
NimbostratusPacket filter and port range
I need to do packet filter rules with a dynamic port range like 1024 - 65535. However, the packet filter rule does not take the TCPDUMP format of:
( dst portrange 1024-65535 )
In the GUI for packet filter rules, the rule expression:
( proto TCP ) and ( src net 172.xx.xx.0/24 ) and ( dst host 10.xx.xx.xx ) and ( dst portrange 1024 )
will produce error:
Packet filter rule 'ServerTestInt_DC001_dynamic': unknown host 'portrange'
The expression seems to like:
( dst port 1024 )
But not:
( dst portrange 1024-65535 )
Has anyone ran across this before? How can I implement a port range packet filtering?
Thanks for your help.
hoolioCirrostratus
Hi Chuck,
I'm not sure why the packet filters don't support the portrange keyword. I saw the same error on 10.0.1. 'b packet filter help' on a 10.0.1 unit shows:
The BIG-IP system packet filters are based on the Berkeley Software Design Packet Filter (BPF) architecture.
Maybe BPF doesn't support portrange? If you don't find a solution for using packet filters and the traffic you want to restrict to a port range is passing through a VIP, you could use an iRule to restrict access using [TCP::local_port] > 1024 && [TCP::local_port] < 65535.
Aaron- chuck_16066Aaron, thanks for the info. I'll do some more research.
The iRules sounds like a good idea. I am trying to filter traffic from a VLAN, kind of like an ACL or firewall. So it doesn't always pass through a VIP. Do you think iRules will still work?
--chuck - hoolioHi Chuck,
iRules can only be applied on VIPs. So if you had a default SNAT, a NAT, or other non-VIP object handling the traffic an iRule wouldn't allow you to restrict access.
You might try opening a case with F5 Support and ask whether there is a way to specify a port range with packet filters. If not, they should be able to open a request for enhancement.
Aaron - chuck_16066Aaron,
Thanks for the info. I will make a feature request/enhancement with F5.
--chuck