How to block a TCP Port on KEMP Loadmaster with ACL's.

The LoadMaster can blacklist or whitelist IP addresses but you cannot block ports using an Access Control List (ACL). This article shows you how to block a port for a particular IP address and port combination. If you are using a wildcard Virtual Service, which is marked with an asterisk (*) symbol as the port number, it enables all ports to connect to that Virtual IP (VIP).

If you want to block a specific port from accessing this Virtual Service, create a new Virtual Service using the same VIP and the port you want to block.  

By adding a Real Server to the Virtual Service that has the port you want to block, you mark the Virtual Service as up and healthy. If the service is marked as down, then connections go to the wildcard Virtual Service. Therefore, you should use either a ping health check or set the health check to None. When the health check is set to None, the LoadMaster assumes the Virtual Service is up and healthy. You always want the health check to pass.

After this is done, you can make a whitelist inside the new Virtual Service using the access control feature.

Insert for a whitelist.

This allows only this IP address, which is the localhost IP address, and blocks every other connection from any IP address trying to access this Virtual Service on this port.


To verify that TCP port is being blocked you can capture a TCP dump on the Loadmaster.

Go into the KEMP WUI > System Configuration > Logging Options > System Log Files > Debug Option > TCP dump > select the interface and type the Port number and click Start.

Try to create traffic from a workstation, try to establish  a number of TCP sessions and on the  KEMP Loadmaster and click stop capturing.

Download and Open the pcap with Wireshark.

Note: With the rejection method set to Drop, the LoadMaster will not reply

With the rejection method set to Reject, the LoadMaster sends out an Internet Control Message Protocol (ICMP) destination unreachable packet.

Was this article helpful?

0 out of 0 found this helpful