PacketShield
Setup
This page applies to:
- HAProxy ALOHA - all versions
To set up PacketShield:
-
In the GUI, open the Services tab and scroll to the bottom of the page.
-
Click on the Advanced Mode link.
-
Locate the line PacketShield.
-
Click Edit to access the PacketShield configuration.
-
Delete the
no autostart
statement. -
Click OK and then Close.
-
Click Reload.
-
To make the configuration changes persist after a reboot, go to the Setup tab and click Save within the Configuration section.
Configuring PacketShield Jump to heading
The PacketShield configuration interface uses sysfs.
When you load the PacketShield module, it automatically creates the sysfs directory /sys/packetshield
from which all configuration can be performed.
Use the GUI for configuration Jump to heading
-
In the GUI, open the Services tab and scroll to the bottom of the page.
-
Click on the Advanced Mode link.
-
Locate the line PacketShield.
-
Click Edit to access the PacketShield configuration. A text area opens and shows the current configuration.
-
Update the configuration and apply it.
-
Click OK and then Close.
-
Click Reload on the PacketShield line.
-
To make the configuration changes persist after a reboot, go to the Setup tab and click Save within the Configuration section.
Use the CLI for configuration Jump to heading
-
Connect via SSH to HAProxy ALOHA.
Launch a terminal
Since HAProxy ALOHA version 13.5, you can connect via Launch a terminal in the web UI’s Tools tab.
-
Type
root
to get root rights. -
To access PacketShield configuration, make entries into
/sys/packetshield
as described in the instructions. -
When your configuration is optimal, you can save it using the following command
bashservice packetshield storebashservice packetshield storeCaution
The configuration applies directly to live traffic.
-
Execute
config save
to make changes persist after a reboot.
Read error codes Jump to heading
When you configure PacketShield using the CLI, you may get the following error codes:
Error Code | Description |
---|---|
2 / ENOENT | object or configuration setting not found |
5 / EIO | input string is malformed |
16 / EBUSY | object already attached to another instance |
17 / EEXIST | object or configuration setting already exists |
19 / ENODEV | object does not exist |
28 / ENOSPC | object is full |
Examples Jump to heading
In the following examples, we show how to set up PacketShield:
-
Enable PacketShield on the interface eth8
-
Configure a default rule set which:
-
Allow ICMP and VRRP protocols
-
Allowlist traffic coming from 10.0.0.0/24
-
Enable protection on TCP ports 80 and 443 for services load-balanced by HAProxy ALOHA itself
-
Enable protection on TCP ports 25, 110, 143, 993, 995 for services routed through HAProxy ALOHA
-
Protect the VIP 192.168.0.1 for FTP passive traffic with data ports from 50000 to 60000 for an FTP service routed through HAProxy ALOHA
-
Using the GUI Jump to heading
Tip
After making changes using the GUI, make the changes persist after a reboot by going to the Setup tab and clicking Save within the Configuration section.
text
instances mydemomydemo/ifaces eth8mydemo/drop_empty_ack 100mydemo/Other/new_cookie_threshold 10000-5000mydemo/Other/unmatch_drop_threshold 10000-5000mydemo/Other/unknown_ttlfilter_threshold 10000-5000mydemo/Other/w_protocols 1mydemo/Other/w_protocols 112mydemo/Other/w_source 10.0.0.0-255mydemo/Other/p_tcp_ports 80mydemo/Other/p_tcp_ports 443mydemo/Other/x_tcp_ports 25mydemo/Other/x_tcp_ports 110mydemo/Other/x_tcp_ports 143mydemo/Other/x_tcp_ports 993mydemo/Other/x_tcp_ports 995mydemo/contexts 192.168.0.1mydemo/192.168.0.1/new_cookie_threshold 10000-5000mydemo/192.168.0.1/unmatch_drop_threshold 10000-5000mydemo/192.168.0.1/unknown_ttlfilter_threshold 10000-5000mydemo/192.168.0.1/x_tcp_ports 21mydemo/192.168.0.1/x_tcp_ports 50000-60000
text
instances mydemomydemo/ifaces eth8mydemo/drop_empty_ack 100mydemo/Other/new_cookie_threshold 10000-5000mydemo/Other/unmatch_drop_threshold 10000-5000mydemo/Other/unknown_ttlfilter_threshold 10000-5000mydemo/Other/w_protocols 1mydemo/Other/w_protocols 112mydemo/Other/w_source 10.0.0.0-255mydemo/Other/p_tcp_ports 80mydemo/Other/p_tcp_ports 443mydemo/Other/x_tcp_ports 25mydemo/Other/x_tcp_ports 110mydemo/Other/x_tcp_ports 143mydemo/Other/x_tcp_ports 993mydemo/Other/x_tcp_ports 995mydemo/contexts 192.168.0.1mydemo/192.168.0.1/new_cookie_threshold 10000-5000mydemo/192.168.0.1/unmatch_drop_threshold 10000-5000mydemo/192.168.0.1/unknown_ttlfilter_threshold 10000-5000mydemo/192.168.0.1/x_tcp_ports 21mydemo/192.168.0.1/x_tcp_ports 50000-60000
Using the CLI Jump to heading
Tip
After making changes using the CLI, you must execute config save
to persist the changes.
text
echo +mydemo >/sys/packetshield/instancesecho +eth8 >/sys/packetshield/mydemo/ifacesecho 100 >/sys/packetshield/mydemo/Other/drop_empty_ackecho 10000-5000 >/sys/packetshield/mydemo/Other/new_cookie_thresholdecho 10000-5000 >/sys/packetshield/mydemo/Other/unmatch_drop_thresholdecho 10000-5000 >/sys/packetshield/mydemo/Other/unknown_ttlfilter_thresholdecho +1 >/sys/packetshield/mydemo/Other/w_protocolsecho +112 >/sys/packetshield/mydemo/Other/w_protocolsecho +10.0.0.0-255 >/sys/packetshield/mydemo/Other/w_sourcesecho +80 >/sys/packetshield/mydemo/Other/p_tcp_portsecho +443 >/sys/packetshield/mydemo/Other/p_tcp_portsecho +25 >/sys/packetshield/mydemo/Other/x_tcp_portsecho +110 >/sys/packetshield/mydemo/Other/x_tcp_portsecho +143 >/sys/packetshield/mydemo/Other/x_tcp_portsecho +993 >/sys/packetshield/mydemo/Other/x_tcp_portsecho +995 >/sys/packetshield/mydemo/Other/x_tcp_portsecho +192.168.0.1 >/sys/packetshield/mydemo/contextsecho 10000-5000 >/sys/packetshield/mydemo/192.168.0.1/new_cookie_thresholdecho 10000-5000 >/sys/packetshield/mydemo/192.168.0.1/unmatch_drop_thresholdecho 10000-5000 >/sys/packetshield/mydemo/192.168.0.1/unknown_ttlfilter_thresholdecho +21 >/sys/packetshield/mydemo/192.168.0.1/x_tcp_portsecho +50000-60000 >/sys/packetshield/mydemo/192.168.0.1/x_tcp_ports
text
echo +mydemo >/sys/packetshield/instancesecho +eth8 >/sys/packetshield/mydemo/ifacesecho 100 >/sys/packetshield/mydemo/Other/drop_empty_ackecho 10000-5000 >/sys/packetshield/mydemo/Other/new_cookie_thresholdecho 10000-5000 >/sys/packetshield/mydemo/Other/unmatch_drop_thresholdecho 10000-5000 >/sys/packetshield/mydemo/Other/unknown_ttlfilter_thresholdecho +1 >/sys/packetshield/mydemo/Other/w_protocolsecho +112 >/sys/packetshield/mydemo/Other/w_protocolsecho +10.0.0.0-255 >/sys/packetshield/mydemo/Other/w_sourcesecho +80 >/sys/packetshield/mydemo/Other/p_tcp_portsecho +443 >/sys/packetshield/mydemo/Other/p_tcp_portsecho +25 >/sys/packetshield/mydemo/Other/x_tcp_portsecho +110 >/sys/packetshield/mydemo/Other/x_tcp_portsecho +143 >/sys/packetshield/mydemo/Other/x_tcp_portsecho +993 >/sys/packetshield/mydemo/Other/x_tcp_portsecho +995 >/sys/packetshield/mydemo/Other/x_tcp_portsecho +192.168.0.1 >/sys/packetshield/mydemo/contextsecho 10000-5000 >/sys/packetshield/mydemo/192.168.0.1/new_cookie_thresholdecho 10000-5000 >/sys/packetshield/mydemo/192.168.0.1/unmatch_drop_thresholdecho 10000-5000 >/sys/packetshield/mydemo/192.168.0.1/unknown_ttlfilter_thresholdecho +21 >/sys/packetshield/mydemo/192.168.0.1/x_tcp_portsecho +50000-60000 >/sys/packetshield/mydemo/192.168.0.1/x_tcp_ports
Do you have any suggestions on how we can improve the content of this page?