http://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/tmos-concepts-11-2-0/tmos_packet_filters.html
Packet filter rules
Packet filter rules are criteria statements that the BIG-IP system uses for filtering packets. The BIG-IP system attempts to match packet filter rules with an
incoming packet, and if a match exists, determines whether or not to accept or reject the packet.
When you create a packet filter rule, you configure several settings, and then define the criteria that you want the BIG-IP system to use to filter the traffic.
Configuring settings for packet filter rules
You can configure a number of different settings when you create a packet filter rule. Specifying a name.
Order of packet filter rules
You use the Order setting to specify the order in which you want the BIG-IP system to apply existing packet filter rules. This setting is required.
Possible values for this setting are:
• First
Select this value if you want this packet filter rule to be the first rule that the BIG-IP system applies.
• Last
Select this value if you want this packet filter rule to be the last rule that the BIG-IP system applies.
• After
1/16/2014 Select this value, and then select a packet filter rule from the list, if you want the system to apply this packet filter after the packet filter that you select from the list. Note that this setting is most useful when you have more than three packet filter rules configured.
• Action
When a packet matches the criteria that you have specified in a packet filter rule, the BIG-IP system can take a specific action. You define this action using the Action setting.
You can choose one of these actions:
• Accept
Select Accept if you want the system to accept the packet, and stop processing additional packet filter rules, if any exist. This is the default setting.
• Discard
Select Discard if you want the system to drop the packet, and stop processing additional packet filter rules, if any exist.
• Reject
Select Reject if you want the system to drop the packet, and also send a rejection packet to the sender, indicating that the packet was refused.
Note that the behavior of the system when you select the Reject action depends on how you configured the general packet filter Options property Send ICMP Error on Packet Reject.
• Continue
Select Continue if you simply want the system to acknowledge the packet for logging or statistical purposes. Setting the Action value to Continue does not affect the way that the BIG-IP system handles the packet; the system continues to evaluate traffic matching a rule, starting with the next packet filter rule in the list.
Rate class assignment
Using the Rate Class setting, you can assign a rate class to traffic that matches the criteria defined in a packet filter rule. Note that this setting applies only when you have the rate-shaping feature enabled.
1/16/2014 The default value for this setting is None. If you previously created rate classes using the rate-shaping feature, you can choose one of those rate classes from the Rate Class list.
One or more VLANs
You use the Apply to VLAN setting to display a list of VLANs and then select a VLAN or VLAN group name. Selecting a VLAN from the list means that the packet filter rule filters ingress traffic from that VLAN only. For example, if you select the value *All VLANS, the BIG-IP system applies the packet filter rule to all traffic coming into the BIG-IP system.
Similarly, if you select the VLAN internal, the BIG-IP system applies the packet filter rule to traffic from VLAN internal only. The default value is *All VLANS.
If you select the name of a VLAN group instead of an individual VLAN, the packet filter rule applies to all VLANs in that VLAN group.
Logging
If you want to generate a log message each time a packet matches a rule, you can enable logging for the packet filter rule. With this configuration, you can then display the Logging screen in the Configuration utility and view events related to packet filtering.
Creating a filter expression
To match incoming packets, the BIG-IP system must use a filter expression. A filter expression specifies the criteria that you want the BIG-IP system to use when filtering packets. For example, the BIG-IP system can filter packets based on the source or destination IP address in the header of a packet.
Using the Configuration utility, you can create a filter expression in either of two ways:
You can write your own expression, using a Filter Expression box.
You can specify a set of criteria (such as source or destination IP addresses) that you want the BIG-IP system to use when filtering packets. When you use this method, the BIG-IP system builds a filter expression for you.
You can have as many rules as you want, limited only by the available memory.
Of course, the more statements you have, the more challenging it is to understand and maintain your packet filters.
1/16/2014