By default, all TCP packets that do not match a protected destination TCP port are dropped.

Hence, in order for TCP based traffic to pass through PacketShield, the destination TCP ports must be either in the whitelist or in the protected list.

Use sysfs entry

The TCP port whitelist is managed through the sysfs entry /sys/packetshield/<instance name>/<context id>/w_tcp_ports.

Define a port range

A port range is defined by two numbers representing the lower and upper ports of the range separated by the character -.

Port range is inclusive. It means that the lower and upper ports describing the range are included in the range when matching packets.

Add a TCP port

Note

Adding a port or port range to the whitelisted TCP port list removes it/them from the protected list.

sysfs

Write the port or range prefixed by the character + in the sysfs entry.

White list ports 80, 443 and 1200 to 1250

echo "+80" > /sys/packetshield/myinst/Other/w_tcp_ports
echo "+443" > /sys/packetshield/myinst/Other/w_tcp_ports
echo "+1200-1250" > /sys/packetshield/myinst/Other/w_tcp_ports

GUI

TCP port whitelist is managed through the statement <instance name>/<context id>/w_tcp_ports

Whitelist ports 80, 443 and 1200 to 1250:

myinst/Other/w_tcp_ports 80
myinst/Other/w_tcp_ports 443
myinst/Other/w_tcp_ports 1200-1250

Remove a TCP port

Note

Deleting a port in the middle of a configured port range splits the range in two

sysfs

Write the port or range prefixed by the character - in the sysfs entry.

echo "-79-81" > /sys/packetshield/myinst/Other/w_tcp_ports
echo "-1250" > /sys/packetshield/myinst/Other/w_tcp_ports

GUI

Remove the statement line matching the TCP port whitelist <instance name>/<context id>/w_tcp_ports <tcp port>.

If the port to remove is in the middle of the range, then rules must be provided.

Remove the port 1225 from the range 1200-1250

myinst/Other/w_tcp_ports 1200-1224
myinst/Other/w_tcp_ports 1226-1250

List TCP port whitelist contents

Note

This feature is only available through the CLI.

To read the TCP port whitelist content, read the content of the sysfs entry. It displays one port or port range per line.

cat /sys/packetshield/myinst/Other/w_tcp_ports
80
443
1200-1250