Searching ALOHA 12.5
Enabling PacketShield for Packet Flood Protection
Enabling PacketShield for Packet Flood Protection
In the ALOHA, PacketShield is the tool responsible to protect against floods and low layer attacks.
PacketShield is developed as a kernel module and its code is executed between the network driver and the kernel. This means that all rules configured in PacketShield will apply before any other rule in the ALOHA (IP ACLs, flow manager, L4 load balancing (LVS), HAProxy, etc.).
PacketShield is multicore and configured through the Linux Virtual filesystem sysfs /sys/.
Understanding PacketShield
PacketShield works like a stateful firewall able to process packets at wire speed. It is split into 2 components:
instance | an instance is associated to physical interfaces and owns contexts |
context | rule set applied to destination IPs (and potentially VLAN tag) |
The diagram below shows how an incoming packet is treated when it reaches in an ALOHA where PacketShield is in action:
<------- packetshield ------->
physical interface ===> instance ========> context ====> system
(1) (2) (3)
The packet comes in through a physical network interface. It crosses the interface itself and the driver delivers it to the PacketShield instance associated to this interface.
Based on the destination IP address or destination IP + VLAN tag, a context and associated rules are applied.
If the packet successfully passes all the protection rules, it is delivered to the system (ALOHA's kernel).
Packet processing in PacketShield
When processing packets, PacketShield applies different types of rules, in the following order:
Dropping invalid packets (enabled by default, not configurable)
Blacklisting per source IP
-
Whitelisting per:
source IP
protocol
destination TCP port
destination UDP port
Destination TCP port protection (based on known sessions, TTLs, syn cookies, etc.).
Note
The first rule that matches the packet stops the processing.
Enable PacketShield
In the GUI, open the Services tab and scroll to the bottom of the page.
Click on the Advanced Mode link.
-
Locate the line PacketShield.
Click Edit
to access the PacketShield configuration.
Delete the
no autostart
statement.Click OK and then Close.
Click Reload
.
Configuring PacketShield
The PacketShield configuration interface uses sysfs.
When you load the PacketShield module, it automatically creates the sysfs directory /sys/packetshield
from which all configuration can be performed.
Use the GUI for configuration
In the GUI, open the Services tab and scroll to the bottom of the page.
Click on the Advanced Mode link.
-
Locate the line PacketShield.
Click Edit
to access the PacketShield configuration. A text area opens and shows the current configuration.
Update the configuration and apply it.
Click OK and then Close.
Click Reload
on the PacketShield line.
Use the CLI for configuration
Get connected on SSH to the ALOHA.
Type
root
to get root rights.To access PacketShield configuration, make entries into
/sys/packetshield
as described in the instructions.-
When your configuration is optimal, you can save it using the following command
$ service packetshield store.
Warning
The configuration applies directly to live traffic.
Read error codes
When you configure PacketShield using the CLI, you may get the following error codes:
2 / ENOENT | object or configuration setting not found |
5 / EIO | input string is malformed |
16 / EBUSY | object already attached to an other instance |
17 / EEXIST | object or configuration setting already exists |
19 / ENODEV | object does not exist |
28 / ENOSPC | object is full |