PacketShield
Protected ports
This setting enables the SYN cookie and the unmatched packet protection on the listed ports.
Info
After making changes using the GUI, make the changes persist after a reboot by going to the Setup tab and clicking Save within the Configuration section. After making changes using the CLI, execute config save
to persist the changes.
TCP ports Jump to heading
Several sysfs entries are available to enable this protection and can be used depending on the type of HAProxy ALOHA / PacketShield deployment:
-
/sys/packetshield/<instance name>/<context id>/p_tcp_ports
- When the TCP connection is locally terminated (i.e. when using HAProxy on HAProxy ALOHA).
-
/sys/packetshield/<instance name>/<context id>/x_tcp_ports
- When the TCP connection is terminated by a server behind HAProxy ALOHA and the synproxy mechanism is enabled on HAProxy ALOHA.
Define the port range.
-
A port range is defined by two numbers representing the lower and upper ports of the range separated by the minus sign character (
-
). -
Port range is inclusive. It means that the lower and upper ports describing the range are included in the range when matching packets.
Add a TCP port Jump to heading
When you add a port or port range to the protected TCP ports list, it is removed from the allowlist.
sysfs Jump to heading
Write the port or range prefixed by the the plus sign character (+
) in the sysfs entry.
To protect ports 80 and 443 locally load-balanced by HAProxy:
nix
echo "+80" > /sys/packetshield/myinst/Other/p_tcp_portsecho "+443" > /sys/packetshield/myinst/Other/p_tcp_ports
nix
echo "+80" > /sys/packetshield/myinst/Other/p_tcp_portsecho "+443" > /sys/packetshield/myinst/Other/p_tcp_ports
To protect ports 110, 995 and 1200 to 1250 routed through HAProxy ALOHA:
nix
echo "+110" > /sys/packetshield/myinst/Other/x_tcp_portsecho "+995" > /sys/packetshield/myinst/Other/x_tcp_portsecho "+1200-1250" > /sys/packetshield/myinst/Other/x_tcp_ports
nix
echo "+110" > /sys/packetshield/myinst/Other/x_tcp_portsecho "+995" > /sys/packetshield/myinst/Other/x_tcp_portsecho "+1200-1250" > /sys/packetshield/myinst/Other/x_tcp_ports
GUI Jump to heading
Write the port number or port range after the following statement <instance name>/<context id>/p_tcp_ports
or <instance name>/<context id>/x_tcp_ports
.
To protect ports 80 and 443 locally load-balanced by HAProxy:
text
<instance name>/<context id>/p_tcp_ports 80<instance name>/<context id>/p_tcp_ports 443
text
<instance name>/<context id>/p_tcp_ports 80<instance name>/<context id>/p_tcp_ports 443
To protect ports 110, 995 and 1200 to 1250 routed through HAProxy ALOHA:
text
<instance name>/<context id>/x_tcp_ports 110<instance name>/<context id>/x_tcp_ports 995<instance name>/<context id>/x_tcp_ports 1200-1250
text
<instance name>/<context id>/x_tcp_ports 110<instance name>/<context id>/x_tcp_ports 995<instance name>/<context id>/x_tcp_ports 1200-1250
Remove a TCP port Jump to heading
When you remove a port in the middle of a range, it splits the range into two ranges.
sysfs Jump to heading
Write the port or range prefixed by the minus sign character (-
) in the sysfs entry.
To remove port range from 79 to 81 locally load-balanced by HAProxy:
nix
echo "-79-81" > /sys/packetshield/myinst/Other/p_tcp_ports
nix
echo "-79-81" > /sys/packetshield/myinst/Other/p_tcp_ports
To remove port 1250 for a traffic routed through HAProxy ALOHA:
nix
echo "-1250" > /sys/packetshield/myinst/Other/x_tcp_ports
nix
echo "-1250" > /sys/packetshield/myinst/Other/x_tcp_ports
GUI Jump to heading
Remove the statement <instance name>/<context id>/p_tcp_ports <port number>
or <instance name>/<context id>/x_tcp_ports <port number>
that matches the port range you want to remove.
If the port to remove is in the middle of the range, then provide the rules to follow.
To remove the port 1225 from the range 1200-1250:
text
myinst/Other/p_tcp_ports 1200-1224myinst/Other/p_tcp_ports 1226-1250
text
myinst/Other/p_tcp_ports 1200-1224myinst/Other/p_tcp_ports 1226-1250
List protected TCP ports Jump to heading
This function is only available using the CLI.
To list TCP ports currently in the protected port list, read the content of the sysfs entry.
It displays one port or port range per line.
nix
cat /sys/packetshield/myinst/Other/p_tcp_ports
nix
cat /sys/packetshield/myinst/Other/p_tcp_ports
outputtext
80443
outputtext
80443
nix
cat /sys/packetshield/myinst/Other/x_tcp_ports
nix
cat /sys/packetshield/myinst/Other/x_tcp_ports
outputtext
1109951200-1250
outputtext
1109951200-1250
UDP ports Jump to heading
Available since
- Available since HAProxy ALOHA 15.5
The sysfs entry /sys/packetshield/<instance>/<contextid>/p_udp_ports
enables the SYN cookie and unmatched packet protection on the listed UDP ports for deployments where the QUIC protocol is supported.
Define the port range.
-
A port range is defined by two numbers representing the lower and upper ports of the range separated by the minus sign character (
-
). -
Port range is inclusive. It means that the lower and upper ports describing the range are included in the range when matching packets.
Add a UDP port Jump to heading
When you add a port or port range to the protected UDP ports list, it is removed from the allowlist.
sysfs Jump to heading
Write the port or range prefixed by the the plus sign character (+
) in the sysfs entry.
To protect ports 80 and 443:
nix
echo "+80" > /sys/packetshield/myinst/Other/p_udp_portsecho "+443" > /sys/packetshield/myinst/Other/p_udp_ports
nix
echo "+80" > /sys/packetshield/myinst/Other/p_udp_portsecho "+443" > /sys/packetshield/myinst/Other/p_udp_ports
GUI Jump to heading
Write the port number or port range after the following statement <instance name>/<context id>/p_udp_ports
:
To protect ports 80 and 443:
text
<instance name>/<context id>/p_udp_ports 80<instance name>/<context id>/p_udp_ports 443
text
<instance name>/<context id>/p_udp_ports 80<instance name>/<context id>/p_udp_ports 443
Remove a UDP port Jump to heading
When you remove a port in the middle of a range, it splits the range into two ranges.
sysfs Jump to heading
Write the port or range prefixed by the minus sign character (-
) in the sysfs entry.
To remove port range from 79 to 81:
nix
echo "-79-81" > /sys/packetshield/myinst/Other/p_udp_ports
nix
echo "-79-81" > /sys/packetshield/myinst/Other/p_udp_ports
GUI Jump to heading
Remove the statement <instance name>/<context id>/p_udp_ports <port number>
that matches the port range you want to remove.
If the port to remove is in the middle of the range, then provide the rules to follow.
To remove the port 1225 from the range 1200-1250:
text
myinst/Other/p_udp_ports 1200-1224myinst/Other/p_udp_ports 1226-1250
text
myinst/Other/p_udp_ports 1200-1224myinst/Other/p_udp_ports 1226-1250
List protected UDP ports Jump to heading
This function is only available using the CLI.
To list UDP ports currently in the protected port list, read the content of the sysfs entry.
It displays one port or port range per line.
nix
cat /sys/packetshield/myinst/Other/p_udp_ports
nix
cat /sys/packetshield/myinst/Other/p_udp_ports
outputtext
80443
outputtext
80443
Do you have any suggestions on how we can improve the content of this page?