This documentation is for HAProxy ALOHA 12.0, if you are looking for the latest version see here.
Searching ALOHA 12.0
PacketShield example
PacketShield example
In the following example, we show how to set up PacketShield:
Enable PacketShield on the interface eth8
Configure a default ruleset which:
Allow ICMP and VRRP protocols
Enable protection on TCP ports 80 and 443 for services load-balanced by the ALOHA itself
Enable protection on TCP ports 25, 110, 143, 993, 995 for services routed through the ALOHA
Whitelist traffic coming from 10.0.0.0/24
Protect the VIP 192.168.0.1 for FTP passive traffic with data ports from 50000 to 60000 for a FTP service routed through the ALOHA
Using the GUI
instances mydemo
mydemo/ifaces eth8
mydemo/drop_empty_ack 100
mydemo/Other/new_cookie_threshold 10000-5000
mydemo/Other/unmatch_drop_threshold 10000-5000
mydemo/Other/unknown_ttlfilter_threshold 10000-5000
mydemo/Other/w_protocols 1
mydemo/Other/w_protocols 112
mydemo/Other/w_source 10.0.0.0-255
mydemo/Other/p_tcp_ports 80
mydemo/Other/p_tcp_ports 443
mydemo/Other/x_tcp_ports 25
mydemo/Other/x_tcp_ports 110
mydemo/Other/x_tcp_ports 143
mydemo/Other/x_tcp_ports 993
mydemo/Other/x_tcp_ports 995
mydemo/contexts 192.168.0.1
mydemo/192.168.0.1/new_cookie_threshold 10000-5000
mydemo/192.168.0.1/unmatch_drop_threshold 10000-5000
mydemo/192.168.0.1/unknown_ttlfilter_threshold 10000-5000
mydemo/192.168.0.1/x_tcp_ports 21
mydemo/192.168.0.1/x_tcp_ports 50000-60000
Using the CLI / sysfs
$ echo +mydemo >/sys/packetshield/instances
$ echo +eth8 >/sys/packetshield/mydemo/ifaces
$ echo 100 >/sys/packetshield/mydemo/Other/drop_empty_ack
$ echo 10000-5000 >/sys/packetshield/mydemo/Other/new_cookie_threshold
$ echo 10000-5000 >/sys/packetshield/mydemo/Other/unmatch_drop_threshold
$ echo 10000-5000 >/sys/packetshield/mydemo/Other/unknown_ttlfilter_threshold
$ echo +1 >/sys/packetshield/mydemo/Other/w_protocols
$ echo +112 >/sys/packetshield/mydemo/Other/w_protocols
$ echo +10.0.0.0-255 >/sys/packetshield/mydemo/Other/w_sources
$ echo +80 >/sys/packetshield/mydemo/Other/p_tcp_ports
$ echo +443 >/sys/packetshield/mydemo/Other/p_tcp_ports
$ echo +25 >/sys/packetshield/mydemo/Other/x_tcp_ports
$ echo +110 >/sys/packetshield/mydemo/Other/x_tcp_ports
$ echo +143 >/sys/packetshield/mydemo/Other/x_tcp_ports
$ echo +993 >/sys/packetshield/mydemo/Other/x_tcp_ports
$ echo +995 >/sys/packetshield/mydemo/Other/x_tcp_ports
$ echo +192.168.0.1 >/sys/packetshield/mydemo/contexts
$ echo 10000-5000 >/sys/packetshield/mydemo/192.168.0.1/new_cookie_threshold
$ echo 10000-5000 >/sys/packetshield/mydemo/192.168.0.1/unmatch_drop_threshold
$ echo 10000-5000 >/sys/packetshield/mydemo/192.168.0.1/unknown_ttlfilter_threshold
$ echo +21 >/sys/packetshield/mydemo/192.168.0.1/x_tcp_ports
$ echo +50000-60000 >/sys/packetshield/mydemo/192.168.0.1/x_tcp_ports