This setting enables the SYN cookie and the unmatched protection on the listed TCP ports.

Use sysfs entry

Several sysfs entries are available to enable this protection and can be used depending on the type of ALOHA / Packetshield deployment:

  • /sys/packetshield/<instance name>/<context id>/p_tcp_ports

    When the TCP connection is locally terminated (i.e. when using HAProxy on the ALOHA).

  • /sys/packetshield/<instance name>/<context id>/x_tcp_ports

    When the TCP connection is terminated by a server behind the ALOHA and the synproxy mechanism is enabled on the ALOHA.

Define the port range

  • A port range is defined by two numbers representing the lower and upper ports of the range separated by the character -.

  • Port range is inclusive. It means that the lower and upper ports describing the range are included in the range when matching packets.

Add a TCP port

When you add a port or port range to the protected TCP ports list, it is removed from the white list.

sysfs

Write the port or range prefixed by the character + in the sysfs entry

To protect ports 80 and 443 locally load-balanced by HAPRoxy:

echo "+80"  > /sys/packetshield/myinst/Other/p_tcp_ports
echo "+443" > /sys/packetshield/myinst/Other/p_tcp_ports

To protect ports 110, 995 and 1200 to 1250 routed through the ALOHA:

echo "+110" > /sys/packetshield/myinst/Other/x_tcp_ports
echo "+995" > /sys/packetshield/myinst/Other/x_tcp_ports
echo "+1200-1250" > /sys/packetshield/myinst/Other/x_tcp_ports

GUI

Write the port number or port range after the following statement <instance name>/<context id>/p_tcp_ports or <instance name>/<context id>/x_tcp_ports:

To protect ports 80 and 443 locally load-balanced by HAPRoxy:

<instance name>/<context id>/p_tcp_ports 80
<instance name>/<context id>/p_tcp_ports 443

To protect ports 110, 995 and 1200 to 1250 routed through the ALOHA:

<instance name>/<context id>/x_tcp_ports 110
<instance name>/<context id>/x_tcp_ports 995
<instance name>/<context id>/x_tcp_ports 1200-1250

Remove a TCP port

When you remove a port in the middle of a range, it splits the range in two ranges:

sysfs

Write the port or range prefixed by character - in the sysfs entry.

To remove port range from 79 to 81 locally load-balanced by HAProxy:

echo "-79-81" > /sys/packetshield/myinst/Other/p_tcp_ports

To remove port 1250 for a traffic routed through the ALOHA:

echo "-1250" > /sys/packetshield/myinst/Other/x_tcp_ports

GUI

Remove the statement <instance name>/<context id>/p_tcp_ports <port number> or <instance name>/<context id>/x_tcp_ports <port number> that matches the port range you want to remove.

If the port to remove is in the middle of the range, then provide the rules to follow.

To remove the port 1225 from the range 1200-1250:

myinst/Other/p_tcp_ports 1200-1224
myinst/Other/p_tcp_ports 1226-1250

List protected TCP ports

This function is only available using the CLI.

To list TCP ports currently in the protected port list, read the content of the sysfs entry.

It displays one port or port range per line.

cat /sys/packetshield/myinst/Other/p_tcp_ports
80
443
cat /sys/packetshield/myinst/Other/x_tcp_ports
110
995
1200-1250