Security hardening question

Question

Hi all,
&nbsp;I need to implement the requirement below in both 4.5.11 and 9.1 
&nbsp;Any help/clues to get started on this will be appreciated. 
&nbsp;Thanks in advance.
&nbsp;/Farid&nbsp;
&nbsp;Req:  Ingress (inbound) and egress (outbound) source routed packets SHALL be blocked by the load balancers. &nbsp;&nbsp;&nbsp;

martin_machacek · Answer

Farid,&nbsp;
&nbsp;this cannot be done with iRules in 4.x.&nbsp;
&nbsp;However, BIG-IP (for most practical purposes) drops source routed packets by default. The behavior is controlled with sysctl variable "net.inet.ip.forwsrcrt" which is set to 0 by default. It means that all connection initiating source routed packets (e.g. TCP packets with SYN bit set) and all packets addressed to local addresses (self-IPs) and SSL proxy addresses are refused. Source routed packets belonging to already established loadbalanced connections (i.e. connections to virtual addresses) and/or  UDP flows are forwarded but any source routes are ignored.&nbsp;
&nbsp;BIG-IP 4.x does not allow to configure any egress filtering.

Forum Discussion

Security hardening question

Recent Discussions

How to Renew F5 Device Certificate

Use of SSL Decryption.

Big IP DNS Failover

Diameter iRules attachment?

Health Monitor unable to connect to OpenShift Router

Related Content

Positive Security vs. Negative Security: A Comparison Using F5's Security Portfolio

F5 SLEDFest 2022 Sacramento Edition - Securing and Hardening your BIG-IP presentation

Security Hardening F5's BIG-IP with SELinux

AppWorld 2025 Security Insights - ADC 3.0, AI Security, and more

Securing Model Serving in Red Hat OpenShift AI (on ROSA) with F5 Distributed Cloud API Security

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS