K7163: Overview of Port Lockdown Behavior

K7163: Overview of port lockdown behavior

Non-Diagnostic

Original Publication Date: Apr 9, 2007

Update Date: Jan 8, 2016

Topic

To control VLAN security, the port lockdown option allows a user to enable or disable connections to the BIG-IP system through the specified VLAN. Refer to K5458: Overview of port_lockdown option for information about configuring port lockdown.

When port lockdown is enabled, most TCP and UDP ports are closed for the VLAN. However, as indicated below, certain infrastructure-related ports are not blocked by the BIG-IP system when port lockdown is enabled.

The following rules apply when port lockdown is enabled for a VLAN:

Only packets addressed to VLAN self IP addresses are subject to the port lockdown filter. Only TCP SYN packets are subject to the port lockdown filter. All other TCP packets are allowed by the filter.

TCP infrastructure-related traffic accepted by the port lockdown filter

The following TCP destination ports are always allowed by the VLAN (excluding TCP SYN packets):

53 179 245 4353

The following TCP destination ports are conditionally enabled for the VLAN:

The Configuration utility port number, configured using the global webadmin_port setting.

Note: The webadmin_port setting is enabled by default, and the specified port is 443.

Ports controlled by bigpipe global variables.

Note: The global variables listed in the following table default to disabled.

TCP ports bigpipe global variables 683, 684 open_corba_ports 23 open_telnet_port 20, 21 open_ftp_ports 22 open_ssh_port 512, 513, 514 open_rsh_ports 161 open_snmp_port 1028 open_failover_ports

Additional TCP destination ports that are enabled for the VLAN if the 3-DNS is licensed:

The port set in global variable namesurfer_zone_port if non-zero (default 0) Port set in global variable namesurfer_web_port if non-zero (default 0)

UDP infrastructure-related traffic accepted by the port lockdown filter

The following UDP destination ports are always allowed by the VLAN:

123 245 520 4353

The following UDP source and destination ports are controlled by the bigpipe global variables:

Note: All of the following UDP source and destination ports default to disable, except for open_dnsproxy_ports.

UDP src/dst ports bigpipe global variables dst 53 or ( src 53 and dst > 1023) open_dnsproxy_ports enabled by default dst 161, 162 open_snmp_port src 161 and dst > 1023 open_3dns_ports src 1645, 1812 open_radius_ports dst 1026, 1027 open_failover_ports

The following additional UDP ports are allowed, if 3-DNS is licensed:

dst 53 port set in global variable namesurfer_zone_port if non-zero (default 0) dst 4354 and (src 245 or src 4353)

Applies to:

Product: Legacy Products, BIG-IP 4.x 4.6.4