Security hardening question

Question

Hi all,
&nbsp;I need to implement the requirement below in both 4.5.11 and 9.1 
&nbsp;Any help/clues to get started on this will be appreciated. 
&nbsp;Thanks in advance.
&nbsp;/Farid&nbsp;
&nbsp;Req:  Ingress (inbound) and egress (outbound) source routed packets SHALL be blocked by the load balancers. &nbsp;&nbsp;&nbsp;

martin_machacek · Answer

Farid,&nbsp;
&nbsp;this cannot be done with iRules in 4.x.&nbsp;
&nbsp;However, BIG-IP (for most practical purposes) drops source routed packets by default. The behavior is controlled with sysctl variable "net.inet.ip.forwsrcrt" which is set to 0 by default. It means that all connection initiating source routed packets (e.g. TCP packets with SYN bit set) and all packets addressed to local addresses (self-IPs) and SSL proxy addresses are refused. Source routed packets belonging to already established loadbalanced connections (i.e. connections to virtual addresses) and/or  UDP flows are forwarded but any source routes are ignored.&nbsp;
&nbsp;BIG-IP 4.x does not allow to configure any egress filtering.

Forum Discussion

Security hardening question

1 Reply

F5 Academy at AppWorld 2026

Aswin MK - November 2025 Featured Member

Introducing the F5 AI Assistant for BIG-IP

Recent Discussions

CVE mitigation on F5 XC vs classic F5 WAF

Could not communicate with the system. Try to reload page.

F5 XC 503 upstream_reset_before_response_started{protocol_error}

UCS Encryption Question

BIG-IP VE: 40G Throughput from 4x10G physical NICs

Related Content

BIG-IP security hardening and compliance checks

Quarterly Security Notification October 2025

Positive Security vs. Negative Security: A Comparison Using F5's Security Portfolio

Security Hardening F5's BIG-IP with SELinux

F5 SLEDFest 2022 Sacramento Edition - Securing and Hardening your BIG-IP presentation

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS