Forum Discussion
NimbostratusPacket Filter to allow just Self IP communication
Hello friends,
Need to validate some configuration of packet filter.
Due to I have two GTMs which need to communicate each other by using 22 and 4353 ports, I must configure such Self IPs to at least "Allow Default" in the Port Lockdown. The problem here is that such Self IPs are Public IPs and so, they are exposed to the world. I cannot open port 22 due to lack of security, so I have decide to configure a Packet Filter to allow only Self IPs communication using ports 22 and 4353.
How about if I select "Discard" in the Unhandled Packet Action when enabling packet filter? Is it going to stop the other traffic?
Thanks in advance
Regards
JM
1 Reply
- nitass
Employee
I have decide to configure a Packet Filter to allow only Self IPs communication using ports 22 and 4353.
this is my testing. assuming 172.28.24.1 is trusted source ip from external vlan.
config root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list sys db one-line |grep packetfilter sys db packetfilter { value "enable" } sys db packetfilter.allow.arp { value "enable" } sys db packetfilter.allow.important.icmp { value "enable" } sys db packetfilter.defaultaction { value "accept" } sys db packetfilter.defaultlog { value "disable" } sys db packetfilter.established { value "disable" } sys db packetfilter.sendicmperrors { value "disable" } root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list net packet-filter-trusted net packet-filter-trusted { ip-addresses { 172.28.24.1 } } root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list net packet-filter net packet-filter drop_22 { action reject order 5 rule "( ( ip proto TCP or ip6 proto TCP ) ) and ( dst port 22 )" vlan external } ssh from 192.168.207.92 [root@ve11a:Active:In Sync] config tcpdump -nni external:nnn -s0 port 22 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on external:nnn, link-type EN10MB (Ethernet), capture size 65535 bytes 21:31:48.869679 IP 192.168.207.92.64431 > 172.28.24.11.22: S 4099431234:4099431234(0) win 8192 (mss 1260,nop,wscale 8,nop,nop,sackOK) in slot1/tmm1 lis= flowtype=0 flowid=0 peerid=0 conflags=0 inslot=63 inport=55 haunit=0 priority=0 peerremote=00000000:00000000:00000000:00000000 peerlocal=00000000:00000000:00000000:00000000 remoteport=0 localport=0 proto=0 vlan=0 21:31:48.869709 IP 172.28.24.11.22 > 192.168.207.92.64431: R 0:0(0) ack 4099431235 win 0 out slot1/tmm1 lis= flowtype=134 flowid=57005A571700 peerid=0 conflags=20 inslot=63 inport=55 haunit=0 priority=0 rst_cause="[0x19c31f8:1129] Packet filter (reject)" peerremote=00000000:00000000:00000000:00000000 peerlocal=00000000:00000000:00000000:00000000 remoteport=0 localport=0 proto=0 vlan=0 ssh from 172.28.24.1 [root@ve11a:Active:In Sync] config tcpdump -nni external -s0 port 22 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on external, link-type EN10MB (Ethernet), capture size 65535 bytes 21:32:28.809053 IP 172.28.24.1.57974 > 172.28.24.11.22: S 1580176754:1580176754(0) win 5840 (mss 1460,sackOK,timestamp 2820769471 0,nop,wscale 7) in slot1/tmm0 lis= 21:32:28.811440 IP 172.28.24.11.22 > 172.28.24.1.57974: S 4205142154:4205142154(0) ack 1580176755 win 18460 (mss 1460,sackOK,timestamp 1029499504 2820769471,nop,wscale 7) out slot1/tmm0 lis= 21:32:28.813215 IP 172.28.24.1.57974 > 172.28.24.11.22: . ack 1 win 46 (nop,nop,timestamp 2820769475 1029499504) in slot1/tmm0 lis=How about if I select "Discard" in the Unhandled Packet Action when enabling packet filter? Is it going to stop the other traffic?
yes including traffic to virtual server
