Allowlists / Denylists
Allowlists
Traffic coming from IPs in the whitelist is accepted, regardless the TCP/UDP port filtering policies.
The size of both whitelists and blacklists cannot go over more than 512 different class C networks.
Setting IP address or IP range
PacketShield accepts two types of IP addresses:
Single host, i.e.: 10.0.0.1
IP range based on class C networks, 10.0.0.0-255 or 10.0.0.10-20
Use sysfs entry
PacketShield can manage source IP whitelist through the sysfs entry /sys/packetshield/<instance name>/<context id>/w_sources
.
Add an IP to a whitelist
When you add an address to the IP source whitelist, it is automatically removed from the blacklist.
sysfs
Write the IPv4 address or range prefixed by character +
in the sysfs entry.
To add a single host:
$ echo "+10.0.2.3" > /sys/packetshield/myinst/Other/w_sources
To add a whole class C subnet:
$ echo "+10.0.3.0-255" > /sys/packetshield/myinst/Other/w_sources
To add 11 consecutive IPs of the same range:
$ echo "+10.0.4.10-20" > /sys/packetshield/myinst/Other/w_sources
GUI
Use the statement <instance name>/<context id>/w_sources
followed by the IP address or range.
To add a single host:
<instance name>/<context id>/w_sources 10.0.2.3
To add a whole class C subnet:
<instance name>/<context id>/w_sources 10.0.3.0-255
To add 11 consecutive IPs of the same range:
<instance name>/<context id>/w_sources 10.0.4.10-20
Remove an IP
Removing an IPv4 address in the middle of a range in the same class C network will split the range into two ranges.
sysfs
Write the IPv4 address or the range prefixed by the character -
in the sysfs entry.
$ echo -10.0.3.100 > /sys/packetshield/myinst/Other/w_sources
$ echo -10.0.4.10-15 > /sys/packetshield/myinst/Other/w_sources
GUI
Remove the statement <instance name>/<context id>/w_sources <IP address>
that matches the IP address or range.
If the IP address to remove is in the middle of an existing range, then provide the rules to follow.
To remove the IP address 10.0.3.100 from the subnet 10.0.3.0/24:
myinst/Other/w_sources 10.0.3.0-99
myinst/Other/w_sources 10.0.3.101-255
List IPs
This function is only available using the CLI.
To list IPs currently configured in the source IP white list, read the content of the sysfs entry. It displays one IPv4 address or range on a class C network per line.
$ cat /sys/packetshield/myinst/Other/w_sources
10.0.2.3
10.0.3.10-20
10.0.4.0-255
By default, all protocols are dropped except for TCP and UDP.
PacketShield uses Assigned Internet Protocol Numbers (IANA) protocol numbers in its whitelist.
An online version of the list of protocol numbers is available here.
Use sysfs entry
The sysfs entry /sys/packetshield/<instance name>/<context id>/w_protocols
is used to managed the protocol whitelist.
Add a protocol
sysfs
Write the protocol number prefixed by char +
in the sysfs entry.
To allow ICMP (1) and VRRP (112):
$ echo "+1" > /sys/packetshield/myinst/Other/w_protocols
$ echo "+112" > /sys/packetshield/myinst/Other/w_protocols
GUI
Use the statement <instance name>/<context id>/w_protocols
followed by the <protocol number>
.
To allow ICMP (1) and VRRP (112):
myinst/Other/w_protocols 1
myinst/Other/w_protocols 112
Remove a protocol
sysfs
Write the protocol number prefixed by char -
in the sysfs entry
To remove ICMP (1):
$ echo "-1" > /sys/packetshield/myinst/Other/w_protocols
GUI
Remove the statement <instance name>/<context id>/w_protocols <protocol number>
that matches the <protocol number>
you want to remove.
Display protocol whitelist
This function is only available through the CLI
To list protocols currently in the whitelist, you read the contents of the sysfs entry. It displays one protocol number per line.
$ cat /sys/packetshield/myinst/Other/w_protocols
1
112
By default, all TCP packets that do not match a protected destination TCP port are dropped.
Hence, in order for TCP based traffic to pass through PacketShield, the destination TCP ports must be either in the whitelist or in the protected list.
Use sysfs entry
The TCP port whitelist is managed through the sysfs entry /sys/packetshield/<instance name>/<context id>/w_tcp_ports
.
Define a port range
A port range is defined by two numbers representing the lower and upper ports of the range separated by the character -
.
Port range is inclusive. It means that the lower and upper ports describing the range are included in the range when matching packets.
Add a TCP port
sysfs
Write the port or range prefixed by the character +
in the sysfs entry.
White list ports 80, 443 and 1200 to 1250
$ echo "+80" > /sys/packetshield/myinst/Other/w_tcp_ports
$ echo "+443" > /sys/packetshield/myinst/Other/w_tcp_ports
$ echo "+1200-1250" > /sys/packetshield/myinst/Other/w_tcp_ports
GUI
TCP port whitelist is managed through the statement <instance name>/<context id>/w_tcp_ports
Whitelist ports 80, 443 and 1200 to 1250:
myinst/Other/w_tcp_ports 80
myinst/Other/w_tcp_ports 443
myinst/Other/w_tcp_ports 1200-1250
Remove a TCP port
sysfs
Write the port or range prefixed by the character - in the sysfs entry.
$ echo "-79-81" > /sys/packetshield/myinst/Other/w_tcp_ports
$ echo "-1250" > /sys/packetshield/myinst/Other/w_tcp_ports
GUI
Remove the statement line matching the TCP port whitelist <instance name>/<context id>/w_tcp_ports <tcp port>
.
If the port to remove is in the middle of the range, then rules must be provided.
Remove the port 1225 from the range 1200-1250
myinst/Other/w_tcp_ports 1200-1224
myinst/Other/w_tcp_ports 1226-1250
List TCP port whitelist contents
To read the TCP port whitelist content, read the content of the sysfs entry. It displays one port or port range per line.
$ cat /sys/packetshield/myinst/Other/w_tcp_ports
80
443
1200-1250
Denylists
When on the blacklist, the traffic coming from these source IPs is dropped regardless the TCP/UDP port filtering policies.
The size of both whitelist and blacklist cannot go over more than 512 different class C networks.
Setting IP address or IP range
PacketShield accepts two types of IP addresses:
Single host, i.e.: 10.0.0.1
-
IP range based on class C networks, 10.0.0.0-255 or 10.0.0.10-20
Use sysfs entry
PacketShield manages source IP blacklists using the sysfs entry:
/sys/packetshield/<instance name>/<context id>/b_sources.
Add an IP
When you add an address to the IP source blacklist, it is automatically removed from the whitelist.
sysfs
Write the IPv4 address or the range prefixed by character + in the sysfs entry.
To add a single host:
$ echo "+10.0.2.3" > /sys/packetshield/myinst/Other/b_sources
To add a whole class C subnet:
$ echo "+10.0.3.0-255" > /sys/packetshield/myinst/Other/b_sources
To add 11 consecutive IPs of the same range:
$ echo "+10.0.4.10-20" > /sys/packetshield/myinst/Other/b_sources
GUI
Use the statement <instance name>/<context id>/b_sources
followed by the IP address or range.
To add a single host:
<instance name>/<context id>/b_sources 10.0.2.3
To add a whole class C subnet:
<instance name>/<context id>/b_sources 10.0.3.0-255
To add 11 consecutive IPs of the same range:
<instance name>/<context id>/b_sources 10.0.4.10-20
Remove an IP
Removing an IPv4 address in the middle of a range in the same class C network will split the range into two ranges.
sysfs
Write the IPv4 address or the range prefixed by the character - in the sysfs entry.
$ echo -10.0.3.100 > /sys/packetshield/myinst/Other/b_sources
$ echo -10.0.4.10-15 > /sys/packetshield/myinst/Other/b_sources
GUI
Remove the statement <instance name>/<context id>/b_sources <IP address>
that matches the IP address or range.
If the IP address to remove is in the middle of an existing range, then provide the rules to follow.
To remove the IP address 10.0.3.100 from the subnet 10.0.3.0/24:
myinst/Other/b_sources 10.0.3.0-99
myinst/Other/b_sources 10.0.3.101-255
List IPs
This function is only available using the CLI.
To list IPs currently configured in the source IP black list, read the content of the sysfs entry.
It displays one IPv4 address or range on a class C network per line.
$ cat /sys/packetshield/myinst/Other/b_sources
10.0.2.3
10.0.3.10-20
10.0.4.0-255
Next up
Contexts