PacketShield

Setup

To set up PacketShield:

  1. In the GUI, open the Services tab and scroll to the bottom of the page.

  2. Click on the Advanced Mode link.

  3. Locate the line PacketShield.

    PacketShield services

  4. Click Edit to access the PacketShield configuration.

  5. Delete the no autostart statement.

  6. Click OK and then Close.

  7. Click Reload.

  8. To make the configuration changes persist after a reboot, go to the Setup tab and click Save within the Configuration section.

Configuring PacketShield Jump to heading

The PacketShield configuration interface uses sysfs.

When you load the PacketShield module, it automatically creates the sysfs directory /sys/packetshield from which all configuration can be performed.

Use the GUI for configuration Jump to heading

  1. In the GUI, open the Services tab and scroll to the bottom of the page.

  2. Click on the Advanced Mode link.

  3. Locate the line PacketShield.

    PacketShield services

  4. Click Edit to access the PacketShield configuration. A text area opens and shows the current configuration.

  5. Update the configuration and apply it.

  6. Click OK and then Close.

  7. Click Reload on the PacketShield line.

  8. To make the configuration changes persist after a reboot, go to the Setup tab and click Save within the Configuration section.

Use the CLI for configuration Jump to heading

  1. Connect via SSH to HAProxy ALOHA.

    Available since

    Since HAProxy ALOHA version 13.5 you can also access the instance via Launch a terminal in the web UI’s Tools tab.

  2. Type root to get root rights.

  3. To access PacketShield configuration, make entries into /sys/packetshield as described in the instructions.

  4. When your configuration is optimal, you can save it using the following command

    bash
    service packetshield store
    bash
    service packetshield store

    Caution

    The configuration applies directly to live traffic.

  5. Execute config save to make changes persist after a reboot.

Read error codes Jump to heading

When you configure PacketShield using the CLI, you may get the following error codes:

Error Code Description
2 / ENOENT object or configuration setting not found
5 / EIO input string is malformed
16 / EBUSY object already attached to another instance
17 / EEXIST object or configuration setting already exists
19 / ENODEV object does not exist
28 / ENOSPC object is full

Examples Jump to heading

In the following examples, we show how to set up PacketShield:

  • Enable PacketShield on the interface eth8

  • Configure a default rule set which:

    • Allow ICMP and VRRP protocols

    • Allowlist traffic coming from 10.0.0.0/24

    • Enable protection on TCP ports 80 and 443 for services load-balanced by HAProxy ALOHA itself

    • Enable protection on TCP ports 25, 110, 143, 993, 995 for services routed through HAProxy ALOHA

    • Protect the VIP 192.168.0.1 for FTP passive traffic with data ports from 50000 to 60000 for an FTP service routed through HAProxy ALOHA

Using the GUI Jump to heading

After making changes using the GUI, make the changes persist after a reboot by going to the Setup tab and clicking Save within the Configuration section.

text
instances mydemo
mydemo/ifaces eth8
mydemo/drop_empty_ack 100
mydemo/Other/new_cookie_threshold 10000-5000
mydemo/Other/unmatch_drop_threshold 10000-5000
mydemo/Other/unknown_ttlfilter_threshold 10000-5000
mydemo/Other/w_protocols 1
mydemo/Other/w_protocols 112
mydemo/Other/w_source 10.0.0.0-255
mydemo/Other/p_tcp_ports 80
mydemo/Other/p_tcp_ports 443
mydemo/Other/x_tcp_ports 25
mydemo/Other/x_tcp_ports 110
mydemo/Other/x_tcp_ports 143
mydemo/Other/x_tcp_ports 993
mydemo/Other/x_tcp_ports 995
mydemo/contexts 192.168.0.1
mydemo/192.168.0.1/new_cookie_threshold 10000-5000
mydemo/192.168.0.1/unmatch_drop_threshold 10000-5000
mydemo/192.168.0.1/unknown_ttlfilter_threshold 10000-5000
mydemo/192.168.0.1/x_tcp_ports 21
mydemo/192.168.0.1/x_tcp_ports 50000-60000
text
instances mydemo
mydemo/ifaces eth8
mydemo/drop_empty_ack 100
mydemo/Other/new_cookie_threshold 10000-5000
mydemo/Other/unmatch_drop_threshold 10000-5000
mydemo/Other/unknown_ttlfilter_threshold 10000-5000
mydemo/Other/w_protocols 1
mydemo/Other/w_protocols 112
mydemo/Other/w_source 10.0.0.0-255
mydemo/Other/p_tcp_ports 80
mydemo/Other/p_tcp_ports 443
mydemo/Other/x_tcp_ports 25
mydemo/Other/x_tcp_ports 110
mydemo/Other/x_tcp_ports 143
mydemo/Other/x_tcp_ports 993
mydemo/Other/x_tcp_ports 995
mydemo/contexts 192.168.0.1
mydemo/192.168.0.1/new_cookie_threshold 10000-5000
mydemo/192.168.0.1/unmatch_drop_threshold 10000-5000
mydemo/192.168.0.1/unknown_ttlfilter_threshold 10000-5000
mydemo/192.168.0.1/x_tcp_ports 21
mydemo/192.168.0.1/x_tcp_ports 50000-60000

Using the CLI Jump to heading

After making changes using the CLI, you must execute config save to persist the changes.

text
echo +mydemo >/sys/packetshield/instances
echo +eth8 >/sys/packetshield/mydemo/ifaces
echo 100 >/sys/packetshield/mydemo/Other/drop_empty_ack
echo 10000-5000 >/sys/packetshield/mydemo/Other/new_cookie_threshold
echo 10000-5000 >/sys/packetshield/mydemo/Other/unmatch_drop_threshold
echo 10000-5000 >/sys/packetshield/mydemo/Other/unknown_ttlfilter_threshold
echo +1 >/sys/packetshield/mydemo/Other/w_protocols
echo +112 >/sys/packetshield/mydemo/Other/w_protocols
echo +10.0.0.0-255 >/sys/packetshield/mydemo/Other/w_sources
echo +80 >/sys/packetshield/mydemo/Other/p_tcp_ports
echo +443 >/sys/packetshield/mydemo/Other/p_tcp_ports
echo +25 >/sys/packetshield/mydemo/Other/x_tcp_ports
echo +110 >/sys/packetshield/mydemo/Other/x_tcp_ports
echo +143 >/sys/packetshield/mydemo/Other/x_tcp_ports
echo +993 >/sys/packetshield/mydemo/Other/x_tcp_ports
echo +995 >/sys/packetshield/mydemo/Other/x_tcp_ports
echo +192.168.0.1 >/sys/packetshield/mydemo/contexts
echo 10000-5000 >/sys/packetshield/mydemo/192.168.0.1/new_cookie_threshold
echo 10000-5000 >/sys/packetshield/mydemo/192.168.0.1/unmatch_drop_threshold
echo 10000-5000 >/sys/packetshield/mydemo/192.168.0.1/unknown_ttlfilter_threshold
echo +21 >/sys/packetshield/mydemo/192.168.0.1/x_tcp_ports
echo +50000-60000 >/sys/packetshield/mydemo/192.168.0.1/x_tcp_ports
text
echo +mydemo >/sys/packetshield/instances
echo +eth8 >/sys/packetshield/mydemo/ifaces
echo 100 >/sys/packetshield/mydemo/Other/drop_empty_ack
echo 10000-5000 >/sys/packetshield/mydemo/Other/new_cookie_threshold
echo 10000-5000 >/sys/packetshield/mydemo/Other/unmatch_drop_threshold
echo 10000-5000 >/sys/packetshield/mydemo/Other/unknown_ttlfilter_threshold
echo +1 >/sys/packetshield/mydemo/Other/w_protocols
echo +112 >/sys/packetshield/mydemo/Other/w_protocols
echo +10.0.0.0-255 >/sys/packetshield/mydemo/Other/w_sources
echo +80 >/sys/packetshield/mydemo/Other/p_tcp_ports
echo +443 >/sys/packetshield/mydemo/Other/p_tcp_ports
echo +25 >/sys/packetshield/mydemo/Other/x_tcp_ports
echo +110 >/sys/packetshield/mydemo/Other/x_tcp_ports
echo +143 >/sys/packetshield/mydemo/Other/x_tcp_ports
echo +993 >/sys/packetshield/mydemo/Other/x_tcp_ports
echo +995 >/sys/packetshield/mydemo/Other/x_tcp_ports
echo +192.168.0.1 >/sys/packetshield/mydemo/contexts
echo 10000-5000 >/sys/packetshield/mydemo/192.168.0.1/new_cookie_threshold
echo 10000-5000 >/sys/packetshield/mydemo/192.168.0.1/unmatch_drop_threshold
echo 10000-5000 >/sys/packetshield/mydemo/192.168.0.1/unknown_ttlfilter_threshold
echo +21 >/sys/packetshield/mydemo/192.168.0.1/x_tcp_ports
echo +50000-60000 >/sys/packetshield/mydemo/192.168.0.1/x_tcp_ports

Do you have any suggestions on how we can improve the content of this page?