By default, all protocols are dropped except for TCP and UDP.

PacketShield uses Assigned Internet Protocol Numbers (IANA) protocol numbers in its whitelist.

An online version of the list of protocol numbers is available here.

Use sysfs entry

The sysfs entry /sys/packetshield/<instance name>/<context id>/w_protocols is used to managed the protocol whitelist.

Add a protocol

sysfs

Write the protocol number prefixed by char + in the sysfs entry.

To allow ICMP (1) and VRRP (112):

$ echo "+1" > /sys/packetshield/myinst/Other/w_protocols
$ echo "+112" > /sys/packetshield/myinst/Other/w_protocols

GUI

Use the statement <instance name>/<context id>/w_protocols followed by the <protocol number>.

To allow ICMP (1) and VRRP (112):

myinst/Other/w_protocols 1
myinst/Other/w_protocols 112

Remove a protocol

sysfs

Write the protocol number prefixed by char - in the sysfs entry

To remove ICMP (1):

$ echo "-1" > /sys/packetshield/myinst/Other/w_protocols

GUI

Remove the statement <instance name>/<context id>/w_protocols <protocol number> that matches the <protocol number> you want to remove.

Display protocol whitelist

This function is only available through the CLI

To list protocols currently in the whitelist, you read the contents of the sysfs entry. It displays one protocol number per line.

$ cat /sys/packetshield/myinst/Other/w_protocols
1
112