HAProxy Enterprise Documentation 12.5

Allowlists / Denylists

Allowlists

Traffic coming from IPs in the whitelist is accepted, regardless the TCP/UDP port filtering policies.

The size of both whitelists and blacklists cannot go over more than 512 different class C networks.

Setting IP address or IP range

PacketShield accepts two types of IP addresses:

  • Single host, i.e.: 10.0.0.1

  • IP range based on class C networks, 10.0.0.0-255 or 10.0.0.10-20

Note

IP range is inclusive, which means that the lower and upper IP addresses describing the range are included in the range when matching packets.

Use sysfs entry

PacketShield can manage source IP whitelist through the sysfs entry /sys/packetshield/<instance name>/<context id>/w_sources.

Add an IP to a whitelist

When you add an address to the IP source whitelist, it is automatically removed from the blacklist.

sysfs

Write the IPv4 address or range prefixed by character + in the sysfs entry.

To add a single host:

$ echo "+10.0.2.3" > /sys/packetshield/myinst/Other/w_sources

To add a whole class C subnet:

$ echo "+10.0.3.0-255" > /sys/packetshield/myinst/Other/w_sources

To add 11 consecutive IPs of the same range:

$ echo "+10.0.4.10-20" > /sys/packetshield/myinst/Other/w_sources

GUI

Use the statement <instance name>/<context id>/w_sources followed by the IP address or range.

To add a single host:

<instance name>/<context id>/w_sources 10.0.2.3

To add a whole class C subnet:

<instance name>/<context id>/w_sources 10.0.3.0-255

To add 11 consecutive IPs of the same range:

<instance name>/<context id>/w_sources 10.0.4.10-20

Remove an IP

Removing an IPv4 address in the middle of a range in the same class C network will split the range into two ranges.

sysfs

Write the IPv4 address or the range prefixed by the character - in the sysfs entry.

$ echo -10.0.3.100 > /sys/packetshield/myinst/Other/w_sources
$ echo -10.0.4.10-15 > /sys/packetshield/myinst/Other/w_sources

GUI

Remove the statement <instance name>/<context id>/w_sources <IP address> that matches the IP address or range.

If the IP address to remove is in the middle of an existing range, then provide the rules to follow.

To remove the IP address 10.0.3.100 from the subnet 10.0.3.0/24:

myinst/Other/w_sources 10.0.3.0-99
myinst/Other/w_sources 10.0.3.101-255

List IPs

This function is only available using the CLI.

To list IPs currently configured in the source IP white list, read the content of the sysfs entry. It displays one IPv4 address or range on a class C network per line.

$ cat /sys/packetshield/myinst/Other/w_sources
10.0.2.3
10.0.3.10-20
10.0.4.0-255

By default, all protocols are dropped except for TCP and UDP.

PacketShield uses Assigned Internet Protocol Numbers (IANA) protocol numbers in its whitelist.

An online version of the list of protocol numbers is available here.

Use sysfs entry

The sysfs entry /sys/packetshield/<instance name>/<context id>/w_protocols is used to managed the protocol whitelist.

Add a protocol

sysfs

Write the protocol number prefixed by char + in the sysfs entry.

To allow ICMP (1) and VRRP (112):

$ echo "+1" > /sys/packetshield/myinst/Other/w_protocols
$ echo "+112" > /sys/packetshield/myinst/Other/w_protocols

GUI

Use the statement <instance name>/<context id>/w_protocols followed by the <protocol number>.

To allow ICMP (1) and VRRP (112):

myinst/Other/w_protocols 1
myinst/Other/w_protocols 112

Remove a protocol

sysfs

Write the protocol number prefixed by char - in the sysfs entry

To remove ICMP (1):

$ echo "-1" > /sys/packetshield/myinst/Other/w_protocols

GUI

Remove the statement <instance name>/<context id>/w_protocols <protocol number> that matches the <protocol number> you want to remove.

Display protocol whitelist

This function is only available through the CLI

To list protocols currently in the whitelist, you read the contents of the sysfs entry. It displays one protocol number per line.

$ cat /sys/packetshield/myinst/Other/w_protocols
1
112

By default, all TCP packets that do not match a protected destination TCP port are dropped.

Hence, in order for TCP based traffic to pass through PacketShield, the destination TCP ports must be either in the whitelist or in the protected list.

Use sysfs entry

The TCP port whitelist is managed through the sysfs entry /sys/packetshield/<instance name>/<context id>/w_tcp_ports.

Define a port range

A port range is defined by two numbers representing the lower and upper ports of the range separated by the character -.

Port range is inclusive. It means that the lower and upper ports describing the range are included in the range when matching packets.

Add a TCP port

Note

Adding a port or port range to the whitelisted TCP port list removes it/them from the protected list.

sysfs

Write the port or range prefixed by the character + in the sysfs entry.

White list ports 80, 443 and 1200 to 1250

$ echo "+80" > /sys/packetshield/myinst/Other/w_tcp_ports
$ echo "+443" > /sys/packetshield/myinst/Other/w_tcp_ports
$ echo "+1200-1250" > /sys/packetshield/myinst/Other/w_tcp_ports

GUI

TCP port whitelist is managed through the statement <instance name>/<context id>/w_tcp_ports

Whitelist ports 80, 443 and 1200 to 1250:

myinst/Other/w_tcp_ports 80
myinst/Other/w_tcp_ports 443
myinst/Other/w_tcp_ports 1200-1250

Remove a TCP port

Note

Deleting a port in the middle of a configured port range splits the range in two

sysfs

Write the port or range prefixed by the character - in the sysfs entry.

$ echo "-79-81" > /sys/packetshield/myinst/Other/w_tcp_ports
$ echo "-1250" > /sys/packetshield/myinst/Other/w_tcp_ports

GUI

Remove the statement line matching the TCP port whitelist <instance name>/<context id>/w_tcp_ports <tcp port>.

If the port to remove is in the middle of the range, then rules must be provided.

Remove the port 1225 from the range 1200-1250

myinst/Other/w_tcp_ports 1200-1224
myinst/Other/w_tcp_ports 1226-1250

List TCP port whitelist contents

Note

This feature is only available through the CLI.

To read the TCP port whitelist content, read the content of the sysfs entry. It displays one port or port range per line.

$ cat /sys/packetshield/myinst/Other/w_tcp_ports
80
443
1200-1250

Denylists

When on the blacklist, the traffic coming from these source IPs is dropped regardless the TCP/UDP port filtering policies.

The size of both whitelist and blacklist cannot go over more than 512 different class C networks.

Setting IP address or IP range

PacketShield accepts two types of IP addresses:

  • Single host, i.e.: 10.0.0.1

  • IP range based on class C networks, 10.0.0.0-255 or 10.0.0.10-20

    Note

    IP range is inclusive, which means that the lower and upper IP addresses describing the range are included in the range when matching packets.

Use sysfs entry

PacketShield manages source IP blacklists using the sysfs entry:

/sys/packetshield/<instance name>/<context id>/b_sources.

Add an IP

When you add an address to the IP source blacklist, it is automatically removed from the whitelist.

sysfs

Write the IPv4 address or the range prefixed by character + in the sysfs entry.

To add a single host:

$ echo "+10.0.2.3" > /sys/packetshield/myinst/Other/b_sources

To add a whole class C subnet:

$ echo "+10.0.3.0-255" > /sys/packetshield/myinst/Other/b_sources

To add 11 consecutive IPs of the same range:

$ echo "+10.0.4.10-20" > /sys/packetshield/myinst/Other/b_sources

GUI

Use the statement <instance name>/<context id>/b_sources followed by the IP address or range.

To add a single host:

<instance name>/<context id>/b_sources 10.0.2.3

To add a whole class C subnet:

<instance name>/<context id>/b_sources 10.0.3.0-255

To add 11 consecutive IPs of the same range:

<instance name>/<context id>/b_sources 10.0.4.10-20

Remove an IP

Removing an IPv4 address in the middle of a range in the same class C network will split the range into two ranges.

sysfs

Write the IPv4 address or the range prefixed by the character - in the sysfs entry.

$ echo -10.0.3.100 > /sys/packetshield/myinst/Other/b_sources
$ echo -10.0.4.10-15 > /sys/packetshield/myinst/Other/b_sources

GUI

Remove the statement <instance name>/<context id>/b_sources <IP address> that matches the IP address or range.

If the IP address to remove is in the middle of an existing range, then provide the rules to follow.

To remove the IP address 10.0.3.100 from the subnet 10.0.3.0/24:

myinst/Other/b_sources 10.0.3.0-99
myinst/Other/b_sources 10.0.3.101-255

List IPs

This function is only available using the CLI.

To list IPs currently configured in the source IP black list, read the content of the sysfs entry.

It displays one IPv4 address or range on a class C network per line.

$ cat /sys/packetshield/myinst/Other/b_sources
10.0.2.3
10.0.3.10-20
10.0.4.0-255