In the ALOHA, PacketShield is the tool responsible to protect against floods and low layer attacks.

PacketShield is developed as a kernel module and its code is executed between the network driver and the kernel. This means that all rules configured in PacketShield will apply before any other rule in the ALOHA (IP ACLs, flow manager, L4 load balancing (LVS), HAProxy, etc.).

PacketShield is multicore and configured through the Linux Virtual filesystem sysfs /sys/.

Understanding PacketShield

PacketShield works like a stateful firewall able to process packets at wire speed. It is split into 2 components:

instance

an instance is associated to physical interfaces and owns contexts

context

rule set applied to destination IPs (and potentially VLAN tag)

The diagram below shows how an incoming packet is treated when it reaches in an ALOHA where PacketShield is in action:

             <------- packetshield ------->
physical interface ===> instance ========> context ====> system
             (1)              (2)             (3)
  1. The packet comes in through a physical network interface. It crosses the interface itself and the driver delivers it to the PacketShield instance associated to this interface.

  2. Based on the destination IP address or destination IP + VLAN tag, a context and associated rules are applied.

  3. If the packet successfully passes all the protection rules, it is delivered to the system (ALOHA's kernel).

Packet processing in PacketShield

When processing packets, PacketShield applies different types of rules, in the following order:

  1. Dropping invalid packets (enabled by default, not configurable)

  2. Blacklisting per source IP

  3. Whitelisting per:

    • source IP

    • protocol

    • destination TCP port

    • destination UDP port

  4. Destination TCP port protection (based on known sessions, TTLs, syn cookies, etc.).

Note

The first rule that matches the packet stops the processing.

Enable PacketShield

  1. In the GUI, open the Services tab and scroll to the bottom of the page.

  2. Click on the Advanced Mode link.

  3. Locate the line PacketShield.

    //cdn.haproxy.com/documentation/aloha/9-5/_assets/images/ps_services_line.png
  4. Click Edit edit to access the PacketShield configuration.

  5. Delete the no autostart statement.

  6. Click OK and then Close.

  7. Click Reload reload.

Configuring PacketShield

The PacketShield configuration interface uses sysfs.

When you load the PacketShield module, it automatically creates the sysfs directory /sys/packetshield from which all configuration can be performed.

Use the GUI for configuration

  1. In the GUI, open the Services tab and scroll to the bottom of the page.

  2. Click on the Advanced Mode link.

  3. Locate the line PacketShield.

    //cdn.haproxy.com/documentation/aloha/9-5/_assets/images/ps_services_line.png
  4. Click Edit edit to access the PacketShield configuration. A text area opens and shows the current configuration.

  5. Update the configuration and apply it.

  6. Click OK and then Close.

  7. Click Reload reload on the PacketShield line.

Use the CLI for configuration

  1. Get connected on SSH to the ALOHA.

  2. Type root to get root rights.

  3. To access PacketShield configuration, make entries into /sys/packetshield as described in the instructions.

  4. When your configuration is optimal, you can save it using the following command

    service packetshield store.

Warning

The configuration applies directly to live traffic.

Read error codes

When you configure PacketShield usiing the CLI, you may get the following error codes:

2 / ENOENT

object or configuration setting not found

5 / EIO

input string is malformed

16 / EBUSY

object already attached to an other instance

17 / EEXIST

object or configuration setting already exists

19 / ENODEV

object does not exist

28 / ENOSPC

object is full