Forwarding IP Question

Question

I am going through some rules in our BigIP and I found one that is particularly disturbing (I think). We have an IP forwarding virtual server with both source and destination set to 0.0.0.0. This is allowing access to SSH, WebGUI, etc. through our public self IP address. I believe this was done to allow for management traffic to pass to servers that sit behind the IP which use it as their default gateway (ICMP, RDP, etc.) as well as facilitate the connection for those servers to access the Internet. There is no way this is best practice and I need to know the best way to remediate this asap. I think the desired configuration would be to configure a SNAT for the subnet that sits behind the BigIP, and then configure another VS that would enable management traffic to pass between internal subnets. I just need some clarification.&nbsp;
Thanks in advance.&nbsp;

what_lies_bene1 · Answer

You've a multitude of options. I don't see S/NAT as a security measure at all I'm afraid.&nbsp;
*Leave the VS as is and use a packet filter (or AFM) to restrict inbound access&nbsp;
*Leave the VS as is and use an iRule to restrict inbound access&nbsp;
*My preference: Leave the VS for the outbound access, disable it on the external VLAN. For inbound management create port specific VSs AND associated packet filters to restrict access.&nbsp;
*Better yet, use a secure access method (VPN, PPTP whatever) that doesn't go through the F5 and apply static routes as necessary on the servers.&nbsp;

nitass · Answer

Now my question is, if I change this, does this impact both ingress and egress traffic? If I change this to allow none, will that deny traffic inbound to this address but still maintain the ability to NAT from for these servers that route through the BigIP? Will it impact any of the other virtual servers that are connecting through this external interface?

port lockdown setting affects traffic destined to selfip (i.e. it does not affect virtual server and snat list traffic).

port lockdown setting affects traffic destined to selfip (i.e. it does not affect virtual server and snat list traffic).&nbsp;

nitass_89166 · Answer

Now my question is, if I change this, does this impact both ingress and egress traffic? If I change this to allow none, will that deny traffic inbound to this address but still maintain the ability to NAT from for these servers that route through the BigIP? Will it impact any of the other virtual servers that are connecting through this external interface?

port lockdown setting affects traffic destined to selfip (i.e. it does not affect virtual server and snat list traffic).

port lockdown setting affects traffic destined to selfip (i.e. it does not affect virtual server and snat list traffic).&nbsp;

greg_130338 · Answer

Gotcha. So best practice for an external interface self-IP that is not inline with a firewall would be to create a custom list I would imagine? The Allow Default still allows https and ssh, allowing management of the BigIP from outside our network. Specific ports I should be looking to allow here?

greg_130338 · Answer

Gotcha. So best practice for an external interface self-IP that is not inline with a firewall would be to create a custom list I would imagine? The Allow Default still allows https and ssh, allowing management of the BigIP from outside our network. Specific ports I should be looking to allow here?

Forum Discussion

Forwarding IP Question

9 Replies

Recent Discussions

CONNECTION IS LOST DUE TO SELF IP IS DELIVERED

ASM instance creation

Can iRule mask the payload content on event logs of security

Disacard SSL::cert mode to ignore when default SSLClient profile is set to request or require

F5Access | MacOS Sonoma

Related Content

LTM: Configuring IP Forwarding

BIG-IP DNS Forwarder Support via iRule

SSL Forward Proxy Explained using Wireshark

Site Launch Frequently Asked Questions

BIg-IP DNS Listener question