Forum Discussion

Marco_57668's avatar
Marco_57668
Icon for Nimbostratus rankNimbostratus
Oct 29, 2013

What's the best way to manage a huge list of ip packet filtering?

Hi, we need to setup whitelisting for our ftp server. What's the best way to do this via paket filter or via iRules? BTW: Is there a possibility to enter comments in the packet filter rules set?

 

Any help is appreciated. Marco

 

application delivery
devops
iRules
management
packet filter
security
TMSH

4 Replies

Sort By
  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Oct 29, 2013

    I suppose the best way here depends on a few factors, particularly:

     

    1. What you mean by "huge" - I'd use a data group to support large sets of "rules" with an iRule, but that and packet filter rules can handle fairly large sets of data.

       

    2. What types of rules you'd need to implement - is it port/IP ranges? Static source IPs?

       

    3. Your comfort with PF rules and/or iRules - if using a data group with an iRule, the iRule itself would probably be pretty simple and management would fall to maintaining the data group.

       

    4. Where and how you need the traffic to be filtered - an iRule would allow a complete 3-way handshake before potentially denying a request. A packet filter would not allow the handshake at all.

       

    You can technically add a description field to a packet filter rule with TMSH, but oddly that doesn't show up in the GUI (only the shell).

     

  • Marco_57668's avatar
    Marco_57668
    Icon for Nimbostratus rankNimbostratus
    Oct 29, 2013

    Thanks for your reply, Kevin.

     

    1. It varies according to the number of customers, between 300 and 500 records.
    2. Static source IPs, port 21.
    3. I tend to iRules.
    4. There's no need to allow a handshake.
  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Oct 29, 2013

    1. 300-70,000 records is generally no problem for an iRule data group, or packet filters.

    2. You could assign the source IP as the address value and the customer comments as its value in the data group. You'd probably want to create packet filter rules via TMSH so that you can add a description.

    3. Me too. 😉

    4. This is the sticky one. An iRule would allow the handshake before closing the connection. The packet filter would not. Usually that doesn't matter unless you're worried about a denial of service, and even then other built-in protection measures could help with that.

    Here's the iRule (using a standard address-based data group):

    when CLIENT_ACCEPTED {
    if { not ( [class match [IP::client_addr] equals my_ftp_whitelist_dg] ) } {
        log local0. "Access attempt denied from [IP::client_addr]"
        reject
    }
}

    A packet filter creation might look like this:

    create / net packet-filter test-pf1 action accept order 6 rule "( src host 10.70.0.3 or src host 10.70.0.4 ) and ( dst port 21 )" description "test customer pf"
  • Ben_Novak's avatar
    Ben_Novak
    Icon for Employee rankEmployee
    Oct 29, 2013

    Stick with iRules. They are far more efficient than packet filters. You can also use a datagroup to manage the IPs (as described above)