Can't define Packet filter port ranges

No one? Really?

See this thread for possible workarounds and a suggestion to create a request for enhancement:

 

 

https://devcentral.f5.com/internal-forums/aft/1167413

 

 

Aaron

"dst portrange x-y" appears to work in 11.3.

 

 

What version are you on? You can also implement a similar filter via iRules (per virtual server).

Also, it looks like you can use port_x:port_y

 

 

sol10747: Configuring packet filters

 

https://support.f5.com/kb/en-us/solutions/public/10000/700/sol10747.html

 

Dst Port:

 

Port number or port range as first:last (for example 0:65535). An empty field means any port. Specifying a port has no affect on ICMP packets

 

 

Aaron

 

That article specifically relates to Firepass. It did not work in 11.3.

The version is 11.2.1 HF3

 

 

The expression I have now in the "Filter Expression" field is:

 

 

( dst host 1.1.1.1 ) and ( dst portrange 21-22 )

 

 

 

The interface validates and complains:

 

 

01070087:3: Packet filter rule '/Common/Test': unknown host 'portrange'

 

 

 

Thanks for the reply, btw.

 

Doh... thanks for catching that. I think we upgraded libpcap to 0.9.4 in 11.3.0 as part of BZ391286. That change should support the portrange keyword.

 

 

Prior to that, you can use this syntax:

 

(tcp[2:2] >= 4000 and tcp[2:2] <= 5000)

 

 

This uses the tcp offset for dst port (tcp[2:2) to create a range.

 

 

Aaron

 

It seems to work in v11.6.0HF6.

For limiting access to a GTMs self IPs (*.11) and listeners (*.10) the following set of filters (range required to permit traceroute to both self IP and listener) was used:

 tmsh -q -c 'list net packet-filter; list net packet-filter-trusted; list sys db packetfilter.*'
net packet-filter filter_dnsquery_in {
    action accept
    order 5
    rule "( ( ip proto UDP or ip6 proto UDP )  or ( ip proto TCP or ip6 proto TCP )  ) and ( dst host 10.10.1.10 ) and ( dst port 53 )"
    vlan vlan_external
}
net packet-filter filter_icmp_in {
    action accept
    order 20
    rule "( ( ip proto ICMP or ip6 proto ICMP )  ) and ( dst host 10.10.1.10 or dst host 10.10.1.11 )"
    vlan vlan_external
}
net packet-filter filter_iquery_in {
    action accept
    order 10
    rule "( ( ip proto TCP or ip6 proto TCP )  ) and ( src host 10.10.2.11 or src host 10.10.3.11 ) and ( dst host 10.10.1.11 ) and ( dst port 4353 or dst port 22 )"
    vlan vlan_external
}
net packet-filter filter_traceroute_in {
    action accept
    order 15
    rule "( ( ip proto UDP or ip6 proto UDP )  ) and ( dst host 10.10.1.10 or dst host 10.10.1.11 ) and ( dst portrange 33434-33534 )"
    vlan vlan_external
}
net packet-filter-trusted { }
sys db packetfilter.allow.arp {
    value "enable"
}
sys db packetfilter.allow.important.icmp {
    value "enable"
}
sys db packetfilter.defaultaction {
    value "discard"
}
sys db packetfilter.defaultlog {
    value "disable"
}
sys db packetfilter.established {
    value "disable"
}
sys db packetfilter.sendicmperrors {
    value "disable"
}

Thanks, Stephan