HAProxy Enterprise Documentation 13.0

Setup

  1. In the GUI, open the Services tab and scroll to the bottom of the page.

  2. Click on the Advanced Mode link.

  3. Locate the line PacketShield.

    https://cdn.haproxy.com/documentation/aloha/latest/assets/ps_services_line-0c26d3e31ebec162dd7b985c6bd1679340a02217fb4a6fc66b993b6299082e87.png
  4. Click Edit edit to access the PacketShield configuration.

  5. Delete the no autostart statement.

  6. Click OK and then Close.

  7. Click Reload reload.

Configuring PacketShield

The PacketShield configuration interface uses sysfs.

When you load the PacketShield module, it automatically creates the sysfs directory /sys/packetshield from which all configuration can be performed.

Use the GUI for configuration

  1. In the GUI, open the Services tab and scroll to the bottom of the page.

  2. Click on the Advanced Mode link.

  3. Locate the line PacketShield.

    https://cdn.haproxy.com/documentation/aloha/latest/assets/ps_services_line-0c26d3e31ebec162dd7b985c6bd1679340a02217fb4a6fc66b993b6299082e87.png
  4. Click Edit edit to access the PacketShield configuration. A text area opens and shows the current configuration.

  5. Update the configuration and apply it.

  6. Click OK and then Close.

  7. Click Reload reload on the PacketShield line.

Use the CLI for configuration

  1. Get connected on SSH to the ALOHA.

  2. Type root to get root rights.

  3. To access PacketShield configuration, make entries into /sys/packetshield as described in the instructions.

  4. When your configuration is optimal, you can save it using the following command

    $ service packetshield store.

Warning

The configuration applies directly to live traffic.

Read error codes

When you configure PacketShield using the CLI, you may get the following error codes:

2 / ENOENT

object or configuration setting not found

5 / EIO

input string is malformed

16 / EBUSY

object already attached to an other instance

17 / EEXIST

object or configuration setting already exists

19 / ENODEV

object does not exist

28 / ENOSPC

object is full

Example

In the following example, we show how to set up PacketShield:

  • Enable PacketShield on the interface eth8

  • Configure a default ruleset which:

  • Allow ICMP and VRRP protocols

  • Enable protection on TCP ports 80 and 443 for services load-balanced by the ALOHA itself

  • Enable protection on TCP ports 25, 110, 143, 993, 995 for services routed through the ALOHA

  • Whitelist traffic coming from 10.0.0.0/24

  • Protect the VIP 192.168.0.1 for FTP passive traffic with data ports from 50000 to 60000 for a FTP service routed through the ALOHA

Using the GUI

instances mydemo
mydemo/ifaces eth8
mydemo/drop_empty_ack 100
mydemo/Other/new_cookie_threshold 10000-5000
mydemo/Other/unmatch_drop_threshold 10000-5000
mydemo/Other/unknown_ttlfilter_threshold 10000-5000
mydemo/Other/w_protocols 1
mydemo/Other/w_protocols 112
mydemo/Other/w_source 10.0.0.0-255
mydemo/Other/p_tcp_ports 80
mydemo/Other/p_tcp_ports 443
mydemo/Other/x_tcp_ports 25
mydemo/Other/x_tcp_ports 110
mydemo/Other/x_tcp_ports 143
mydemo/Other/x_tcp_ports 993
mydemo/Other/x_tcp_ports 995
mydemo/contexts 192.168.0.1
mydemo/192.168.0.1/new_cookie_threshold 10000-5000
mydemo/192.168.0.1/unmatch_drop_threshold 10000-5000
mydemo/192.168.0.1/unknown_ttlfilter_threshold 10000-5000
mydemo/192.168.0.1/x_tcp_ports 21
mydemo/192.168.0.1/x_tcp_ports 50000-60000

Using the CLI / sysfs

$ echo +mydemo >/sys/packetshield/instances
$ echo +eth8 >/sys/packetshield/mydemo/ifaces
$ echo 100 >/sys/packetshield/mydemo/Other/drop_empty_ack
$ echo 10000-5000 >/sys/packetshield/mydemo/Other/new_cookie_threshold
$ echo 10000-5000 >/sys/packetshield/mydemo/Other/unmatch_drop_threshold
$ echo 10000-5000 >/sys/packetshield/mydemo/Other/unknown_ttlfilter_threshold
$ echo +1 >/sys/packetshield/mydemo/Other/w_protocols
$ echo +112 >/sys/packetshield/mydemo/Other/w_protocols
$ echo +10.0.0.0-255 >/sys/packetshield/mydemo/Other/w_sources
$ echo +80 >/sys/packetshield/mydemo/Other/p_tcp_ports
$ echo +443 >/sys/packetshield/mydemo/Other/p_tcp_ports
$ echo +25 >/sys/packetshield/mydemo/Other/x_tcp_ports
$ echo +110 >/sys/packetshield/mydemo/Other/x_tcp_ports
$ echo +143 >/sys/packetshield/mydemo/Other/x_tcp_ports
$ echo +993 >/sys/packetshield/mydemo/Other/x_tcp_ports
$ echo +995 >/sys/packetshield/mydemo/Other/x_tcp_ports
$ echo +192.168.0.1 >/sys/packetshield/mydemo/contexts
$ echo 10000-5000 >/sys/packetshield/mydemo/192.168.0.1/new_cookie_threshold
$ echo 10000-5000 >/sys/packetshield/mydemo/192.168.0.1/unmatch_drop_threshold
$ echo 10000-5000 >/sys/packetshield/mydemo/192.168.0.1/unknown_ttlfilter_threshold
$ echo +21 >/sys/packetshield/mydemo/192.168.0.1/x_tcp_ports
$ echo +50000-60000 >/sys/packetshield/mydemo/192.168.0.1/x_tcp_ports

Next up

Allowlists / Denylists