Whitelisting Destination TCP Ports
By default, all TCP packets that do not match a protected destination TCP port are dropped.
Hence, in order for TCP based traffic to pass through PacketShield, the destination TCP ports must be either in the whitelist or in the protected list.
Use sysfs entry
The TCP port whitelist is managed through the sysfs entry
/sys/packetshield/<instance name>/<context id>/w_tcp_ports.
Define a port range
A port range is defined by two numbers representing the lower and upper ports of the range separated by the character
Port range is inclusive. It means that the lower and upper ports describing the range are included in the range when matching packets.
Add a TCP port
Adding a port or port range to the whitelisted TCP port list removes it/them from the protected list.
Write the port or range prefixed by the character
+ in the sysfs entry.
White list ports 80, 443 and 1200 to 1250
$ echo "+80" > /sys/packetshield/myinst/Other/w_tcp_ports $ echo "+443" > /sys/packetshield/myinst/Other/w_tcp_ports $ echo "+1200-1250" > /sys/packetshield/myinst/Other/w_tcp_ports
TCP port whitelist is managed through the statement
<instance name>/<context id>/w_tcp_ports
Whitelist ports 80, 443 and 1200 to 1250:
myinst/Other/w_tcp_ports 80 myinst/Other/w_tcp_ports 443 myinst/Other/w_tcp_ports 1200-1250
Remove a TCP port
Deleting a port in the middle of a configured port range splits the range in two
Write the port or range prefixed by the character - in the sysfs entry.
$ echo "-79-81" > /sys/packetshield/myinst/Other/w_tcp_ports $ echo "-1250" > /sys/packetshield/myinst/Other/w_tcp_ports
Remove the statement line matching the TCP port whitelist
<instance name>/<context id>/w_tcp_ports <tcp port>.
If the port to remove is in the middle of the range, then rules must be provided.
Remove the port 1225 from the range 1200-1250
myinst/Other/w_tcp_ports 1200-1224 myinst/Other/w_tcp_ports 1226-1250
List TCP port whitelist contents
This feature is only available through the CLI.
To read the TCP port whitelist content, read the content of the sysfs entry. It displays one port or port range per line.
$ cat /sys/packetshield/myinst/Other/w_tcp_ports 80 443 1200-1250