PacketShield
Allowlists / denylists
Allowlists Jump to heading
Traffic coming from IPs in the allowlist is accepted regardless of the TCP/UDP port filtering policies.
The size of both allowlists and denylists cannot be greater than 512 different class C networks.
Setting IP address or IP range Jump to heading
PacketShield accepts two types of IP addresses:
-
Single host, i.e.: 10.0.0.1
-
IP range based on class C networks, 10.0.0.0-255 or 10.0.0.10-20
IP range is inclusive, which means that the lower and upper IP addresses describing the range are included in the range when matching packets.
sysfs Jump to heading
PacketShield can manage the source IP allowlist through the sysfs entry /sys/packetshield/<instance name>/<context id>/w_sources.
Add an IP to an allowlist Jump to heading
When you add an address to the source IP allowlist, it is automatically removed from the denylist.
sysfs Jump to heading
Write the IPv4 address or range prefixed by the plus sign character (+) in the sysfs entry.
To add a single host:
nix
nix
To add a whole class C subnet:
nix
nix
To add 11 consecutive IPs of the same range:
nix
nix
GUI Jump to heading
Use the statement <instance name>/<context id>/w_sources followed by the IP address or range.
To add a single host:
<instance name>/<context id>/w_sources 10.0.2.3
<instance name>/<context id>/w_sources 10.0.2.3
To add a whole class C subnet:
<instance name>/<context id>/w_sources 10.0.3.0-255
<instance name>/<context id>/w_sources 10.0.3.0-255
To add 11 consecutive IPs of the same range:
<instance name>/<context id>/w_sources 10.0.4.10-20
<instance name>/<context id>/w_sources 10.0.4.10-20
Remove an IP Jump to heading
Removing an IPv4 address in the middle of a range in the same class C network will split the range into two ranges.
sysfs Jump to heading
Write the IPv4 address or the range prefixed by the minus sign character (-) in the sysfs entry.
nix
nix
GUI Jump to heading
Remove the statement <instance name>/<context id>/w_sources <IP address> that matches the IP address or range.
If the IP address to remove is in the middle of an existing range, then provide the rules to follow.
To remove the IP address 10.0.3.100 from the subnet 10.0.3.0/24:
myinst/Other/w_sources 10.0.3.0-99 myinst/Other/w_sources 10.0.3.101-255
myinst/Other/w_sources 10.0.3.0-99 myinst/Other/w_sources 10.0.3.101-255
List IPs Jump to heading
This function is only available using the CLI.
To list IPs currently configured in the source IP allowlist, read the content of the sysfs entry. It displays one IPv4 address or range on a class C network per line.
nix
nix
output10.0.2.3 10.0.3.10-20 10.0.4.0-255
output10.0.2.3 10.0.3.10-20 10.0.4.0-255
Protocols Jump to heading
By default, all protocols are dropped except for TCP and UDP.
PacketShield uses Assigned Internet Protocol Numbers (IANA) protocol numbers in its allowlist.
An online version of the list of protocol numbers is available here.
The sysfs entry /sys/packetshield/<instance name>/<context id>/w_protocols is used to manage the protocol allowlist.
Add a protocol Jump to heading
sysfs Jump to heading
Write the protocol number prefixed by the plus sign character (+) in the sysfs entry.
To allow ICMP (1) and VRRP (112):
nix
nix
GUI Jump to heading
Use the statement <instance name>/<context id>/w_protocols followed by the <protocol number>.
To allow ICMP (1) and VRRP (112):
myinst/Other/w_protocols 1 myinst/Other/w_protocols 112
myinst/Other/w_protocols 1 myinst/Other/w_protocols 112
Remove a protocol Jump to heading
sysfs Jump to heading
Write the protocol number prefixed by the minus sign character (-) in the sysfs entry.
To remove ICMP (1):
nix
nix
GUI Jump to heading
Remove the statement <instance name>/<context id>/w_protocols <protocol number> that matches the <protocol number> you want to remove.
Display protocol allowlist Jump to heading
This function is only available through the CLI
To list protocols currently in the allowlist, you read the contents of the sysfs entry. It displays one protocol number per line.
nix
nix
output1 112
output1 112
By default, all TCP packets that do not match a protected destination TCP port are dropped.
Hence, in order for TCP based traffic to pass through PacketShield, the destination TCP ports must be either in the allowlist or in the protected list.
sysfs Jump to heading
The TCP port allowlist is managed through the sysfs entry /sys/packetshield/<instance name>/<context id>/w_tcp_ports.
Ports Jump to heading
A port range is defined by two numbers representing the lower and upper ports of the range separated by the minus sign character (-).
Port range is inclusive. It means that the lower and upper ports describing the range are included in the range when matching packets.
Add a TCP port Jump to heading
Adding a port or port range to the allowlisted TCP port list removes it/them from the protected list.
sysfs
Write the port or range prefixed by the plus sign character (+) in the sysfs entry.
Allow list ports 80, 443 and 1200 to 1250
nix
nix
GUI
The TCP port allowlist is managed through the statement <instance name>/<context id>/w_tcp_ports.
Allowlist ports 80, 443 and 1200 to 1250:
myinst/Other/w_tcp_ports 80 myinst/Other/w_tcp_ports 443 myinst/Other/w_tcp_ports 1200-1250
myinst/Other/w_tcp_ports 80 myinst/Other/w_tcp_ports 443 myinst/Other/w_tcp_ports 1200-1250
Remove a TCP port Jump to heading
Deleting a port in the middle of a configured port range splits the range in two.
sysfs
Write the port or range prefixed by the minus sign character (-) in the sysfs entry.
nix
nix
GUI
Remove the statement line matching the TCP port allowlist <instance name>/<context id>/w_tcp_ports <tcp port>.
If the port to remove is in the middle of the range, then rules must be provided.
Remove the port 1225 from the range 1200-1250
myinst/Other/w_tcp_ports 1200-1224 myinst/Other/w_tcp_ports 1226-1250
myinst/Other/w_tcp_ports 1200-1224 myinst/Other/w_tcp_ports 1226-1250
List TCP port allowlist Jump to heading
This feature is available only through the CLI.
sysfs
To read the TCP port allowlist contents, read the contents of the sysfs entry. It displays one port or port range per line.
nix
nix
output80 443 1200-1250
output80 443 1200-1250
Denylists Jump to heading
If a source IP is on the denylist, the traffic coming from the source IP is dropped regardless the TCP/UDP port filtering policies.
The size of both allowlist and denylist cannot go over more than 512 different class C networks.
Setting IP address or IP range Jump to heading
PacketShield accepts two types of IP addresses:
-
Single host, i.e.: 10.0.0.1
-
IP range based on class C networks, 10.0.0.0-255 or 10.0.0.10-20
IP range is inclusive, which means that the lower and upper IP addresses describing the range are included in the range when matching packets.
sysfs Jump to heading
PacketShield manages source IP denylists using the sysfs entry: /sys/packetshield/<instance name>/<context id>/b_sources.
Add an IP to a denylist Jump to heading
When you add an address to the source IP denylist, it is automatically removed from the allowlist.
sysfs Jump to heading
Write the IPv4 address or the range prefixed by the plus sign character (+) in the sysfs entry.
To add a single host:
nix
nix
To add a whole class C subnet:
nix
nix
To add 11 consecutive IPs of the same range:
nix
nix
GUI Jump to heading
Use the statement <instance name>/<context id>/b_sources followed by the IP address or range.
To add a single host:
<instance name>/<context id>/b_sources 10.0.2.3
<instance name>/<context id>/b_sources 10.0.2.3
To add a whole class C subnet:
<instance name>/<context id>/b_sources 10.0.3.0-255
<instance name>/<context id>/b_sources 10.0.3.0-255
To add 11 consecutive IPs of the same range:
<instance name>/<context id>/b_sources 10.0.4.10-20
<instance name>/<context id>/b_sources 10.0.4.10-20
Remove an IP Jump to heading
Removing an IPv4 address in the middle of a range in the same class C network will split the range into two ranges.
sysfs Jump to heading
Write the IPv4 address or the range prefixed by the minus sign character (-) in the sysfs entry.
nix
nix
GUI Jump to heading
Remove the statement <instance name>/<context id>/b_sources <IP address> that matches the IP address or range.
If the IP address to remove is in the middle of an existing range, then provide the rules to follow.
To remove the IP address 10.0.3.100 from the subnet 10.0.3.0/24:
myinst/Other/b_sources 10.0.3.0-99 myinst/Other/b_sources 10.0.3.101-255
myinst/Other/b_sources 10.0.3.0-99 myinst/Other/b_sources 10.0.3.101-255
List IPs Jump to heading
This function is only available using the CLI.
sysfs Jump to heading
To list IPs currently configured in the source IP denylist, read the contents of the sysfs entry.
It displays one IP address or range on a class C network per line.
nix
nix
output10.0.2.3 10.0.3.10-20 10.0.4.0-255
output10.0.2.3 10.0.3.10-20 10.0.4.0-255
Do you have any suggestions on how we can improve the content of this page?