Forum Discussion
8 Replies
Sort By
- Gburn_124136NimbostratusNo one? Really?
- hooleylistCirrostratusSee this thread for possible workarounds and a suggestion to create a request for enhancement:
- Kevin_StewartEmployee"dst portrange x-y" appears to work in 11.3.
- hooleylistCirrostratus
Also, it looks like you can use port_x:port_y
Dst Port:
Port number or port range as first:last (for example 0:65535). An empty field means any port. Specifying a port has no affect on ICMP packets
- Kevin_StewartEmployeeThat article specifically relates to Firepass. It did not work in 11.3.
- Gburn_124136Nimbostratus
The version is 11.2.1 HF3
The expression I have now in the "Filter Expression" field is:
( dst host 1.1.1.1 ) and ( dst portrange 21-22 )
01070087:3: Packet filter rule '/Common/Test': unknown host 'portrange'
- hooleylistCirrostratus
Doh... thanks for catching that. I think we upgraded libpcap to 0.9.4 in 11.3.0 as part of BZ391286. That change should support the portrange keyword.
It seems to work in v11.6.0HF6.
For limiting access to a GTMs self IPs (*.11) and listeners (*.10) the following set of filters (range required to permit traceroute to both self IP and listener) was used:tmsh -q -c 'list net packet-filter; list net packet-filter-trusted; list sys db packetfilter.*' net packet-filter filter_dnsquery_in { action accept order 5 rule "( ( ip proto UDP or ip6 proto UDP ) or ( ip proto TCP or ip6 proto TCP ) ) and ( dst host 10.10.1.10 ) and ( dst port 53 )" vlan vlan_external } net packet-filter filter_icmp_in { action accept order 20 rule "( ( ip proto ICMP or ip6 proto ICMP ) ) and ( dst host 10.10.1.10 or dst host 10.10.1.11 )" vlan vlan_external } net packet-filter filter_iquery_in { action accept order 10 rule "( ( ip proto TCP or ip6 proto TCP ) ) and ( src host 10.10.2.11 or src host 10.10.3.11 ) and ( dst host 10.10.1.11 ) and ( dst port 4353 or dst port 22 )" vlan vlan_external } net packet-filter filter_traceroute_in { action accept order 15 rule "( ( ip proto UDP or ip6 proto UDP ) ) and ( dst host 10.10.1.10 or dst host 10.10.1.11 ) and ( dst portrange 33434-33534 )" vlan vlan_external } net packet-filter-trusted { } sys db packetfilter.allow.arp { value "enable" } sys db packetfilter.allow.important.icmp { value "enable" } sys db packetfilter.defaultaction { value "discard" } sys db packetfilter.defaultlog { value "disable" } sys db packetfilter.established { value "disable" } sys db packetfilter.sendicmperrors { value "disable" }
Thanks, Stephan