Forum Discussion

suthomas1's avatar
Icon for Cirrostratus rankCirrostratus
Aug 26, 2021

irule ports

Good day all,


I had few doubts for ltm.

1) is a service with all ports allowed but an irule with limited ports secure? will the irule come into picture for the ports first?

2) any easy way to rename a virtual service?



thanks in advance.

7 Replies

  • Hello,


    I'm not going to answer your 1st question - I really don't understand what you mean by it.


    For the 2nd - renaming a VS is not a straightforward thing to do - you have probably noticed that many configuration objects cannot be renamed from the GUI after you create them. But you can edit the configuration file directly and load it.


    1. login via ssh; if not already there go to the standard linux shell (not tmsh)
    2. if necessary, cd to /config/
    3. make a backup copy of bigip.conf
    4. edit bigip.conf with vi
    5. search for your VS - it will be a line with "ltm virtual <vs name>"
    6. rename it, be careful to not use repeated names and don't change line spacing, { } characters, etc
    7. save the file, exit vi
    8. execute "tmsh sys load config"



      • Mike757's avatar
        Icon for MVP rankMVP

        Heh... never claimed it was safe, that's why step 3 is there.


        But indeed, the file could have been corrupt to begin with. Make it step 2.5 to execute "tmsh load sys config verify". That way you can be sure the initial files are ok.



    • Mike757's avatar
      Icon for MVP rankMVP

      For real? I had never heard about that!

      [edit: the mv command, I mean]

  • Thanks Mike.

    Re-writing the first question - how secure is any VS that has all ports allowed? & if it has an irule that lists few ports, will the irule be checked first for ports?





    • Mike757's avatar
      Icon for MVP rankMVP

      I see what you mean - as Daniel pointed out above, it is secure, but in the article everything is better explained. If you use an iRule (or policy), the TCP reset only happens after the 3-way handshake is completed. If you use a port list the handshake fails straigh away, which is better in terms of resource efficiency.


      If I recall correctly, shared objects (address and port lists) appeared in version 14.