HAProxy ALOHA Documentation 15.5

Allowlists / Denylists

Allowlists

Traffic coming from IPs in the allowlist is accepted regardless of the TCP/UDP port filtering policies.

The size of both allowlists and denylists cannot be greater than 512 different class C networks.

Setting IP address or IP range

PacketShield accepts two types of IP addresses:

  • Single host, i.e.: 10.0.0.1

  • IP range based on class C networks, 10.0.0.0-255 or 10.0.0.10-20

sysfs

PacketShield can manage the source IP allowlist through the sysfs entry /sys/packetshield/<instance name>/<context id>/w_sources.

Add an IP to an allowlist

When you add an address to the source IP allowlist, it is automatically removed from the denylist.

sysfs

Write the IPv4 address or range prefixed by the plus sign character (+) in the sysfs entry.

To add a single host:

$ echo "+10.0.2.3" > /sys/packetshield/myinst/Other/w_sources

To add a whole class C subnet:

$ echo "+10.0.3.0-255" > /sys/packetshield/myinst/Other/w_sources

To add 11 consecutive IPs of the same range:

$ echo "+10.0.4.10-20" > /sys/packetshield/myinst/Other/w_sources

GUI

Use the statement <instance name>/<context id>/w_sources followed by the IP address or range.

To add a single host:

<instance name>/<context id>/w_sources 10.0.2.3

To add a whole class C subnet:

<instance name>/<context id>/w_sources 10.0.3.0-255

To add 11 consecutive IPs of the same range:

<instance name>/<context id>/w_sources 10.0.4.10-20

Remove an IP

Removing an IPv4 address in the middle of a range in the same class C network will split the range into two ranges.

sysfs

Write the IPv4 address or the range prefixed by the minus sign character (-) in the sysfs entry.

$ echo -10.0.3.100 > /sys/packetshield/myinst/Other/w_sources
$ echo -10.0.4.10-15 > /sys/packetshield/myinst/Other/w_sources

GUI

Remove the statement <instance name>/<context id>/w_sources <IP address> that matches the IP address or range.

If the IP address to remove is in the middle of an existing range, then provide the rules to follow.

To remove the IP address 10.0.3.100 from the subnet 10.0.3.0/24:

myinst/Other/w_sources 10.0.3.0-99
myinst/Other/w_sources 10.0.3.101-255

List IPs

This function is only available using the CLI.

To list IPs currently configured in the source IP allowlist, read the content of the sysfs entry. It displays one IPv4 address or range on a class C network per line.

$ cat /sys/packetshield/myinst/Other/w_sources
10.0.2.3
10.0.3.10-20
10.0.4.0-255

Protocols

By default, all protocols are dropped except for TCP and UDP.

PacketShield uses Assigned Internet Protocol Numbers (IANA) protocol numbers in its allowlist.

An online version of the list of protocol numbers is available here.

The sysfs entry /sys/packetshield/<instance name>/<context id>/w_protocols is used to manage the protocol allowlist.

Add a protocol

sysfs

Write the protocol number prefixed by the plus sign character (+) in the sysfs entry.

To allow ICMP (1) and VRRP (112):

$ echo "+1" > /sys/packetshield/myinst/Other/w_protocols
$ echo "+112" > /sys/packetshield/myinst/Other/w_protocols

GUI

Use the statement <instance name>/<context id>/w_protocols followed by the <protocol number>.

To allow ICMP (1) and VRRP (112):

myinst/Other/w_protocols 1
myinst/Other/w_protocols 112

Remove a protocol

sysfs

Write the protocol number prefixed by the minus sign character (-) in the sysfs entry

To remove ICMP (1):

$ echo "-1" > /sys/packetshield/myinst/Other/w_protocols

GUI

Remove the statement <instance name>/<context id>/w_protocols <protocol number> that matches the <protocol number> you want to remove.

Display protocol allowlist

This function is only available through the CLI

To list protocols currently in the allowlist, you read the contents of the sysfs entry. It displays one protocol number per line.

$ cat /sys/packetshield/myinst/Other/w_protocols
1
112

By default, all TCP packets that do not match a protected destination TCP port are dropped.

Hence, in order for TCP based traffic to pass through PacketShield, the destination TCP ports must be either in the allowlist or in the protected list.

sysfs

The TCP port allowlist is managed through the sysfs entry /sys/packetshield/<instance name>/<context id>/w_tcp_ports.

Ports

A port range is defined by two numbers representing the lower and upper ports of the range separated by the minus sign character (-).

Port range is inclusive. It means that the lower and upper ports describing the range are included in the range when matching packets.

Add a TCP port

sysfs

Write the port or range prefixed by the plus sign character (+) in the sysfs entry.

Allow list ports 80, 443 and 1200 to 1250

$ echo "+80" > /sys/packetshield/myinst/Other/w_tcp_ports
$ echo "+443" > /sys/packetshield/myinst/Other/w_tcp_ports
$ echo "+1200-1250" > /sys/packetshield/myinst/Other/w_tcp_ports

GUI

The TCP port allowlist is managed through the statement <instance name>/<context id>/w_tcp_ports

Allowlist ports 80, 443 and 1200 to 1250:

myinst/Other/w_tcp_ports 80
myinst/Other/w_tcp_ports 443
myinst/Other/w_tcp_ports 1200-1250

Remove a TCP port

sysfs

Write the port or range prefixed by the minus sign character (-) in the sysfs entry.

$ echo "-79-81" > /sys/packetshield/myinst/Other/w_tcp_ports
$ echo "-1250" > /sys/packetshield/myinst/Other/w_tcp_ports

GUI

Remove the statement line matching the TCP port allowlist <instance name>/<context id>/w_tcp_ports <tcp port>.

If the port to remove is in the middle of the range, then rules must be provided.

Remove the port 1225 from the range 1200-1250

myinst/Other/w_tcp_ports 1200-1224
myinst/Other/w_tcp_ports 1226-1250

List TCP port allowlist

This feature is available only through the CLI.

sysfs

To read the TCP port allowlist contents, read the contents of the sysfs entry. It displays one port or port range per line.

$ cat /sys/packetshield/myinst/Other/w_tcp_ports
80
443
1200-1250

Denylists

If a source IP is on the denylist, the traffic coming from the source IP is dropped regardless the TCP/UDP port filtering policies.

The size of both allowlist and denylist cannot go over more than 512 different class C networks.

Setting IP address or IP range

PacketShield accepts two types of IP addresses:

  • Single host, i.e.: 10.0.0.1

  • IP range based on class C networks, 10.0.0.0-255 or 10.0.0.10-20

sysfs

PacketShield manages source IP denylists using the sysfs entry:

/sys/packetshield/<instance name>/<context id>/b_sources.

Add an IP to a denylist

When you add an address to the source IP denylist, it is automatically removed from the allowlist.

sysfs

Write the IPv4 address or the range prefixed by the plus sign character (+) in the sysfs entry.

To add a single host:

$ echo "+10.0.2.3" > /sys/packetshield/myinst/Other/b_sources

To add a whole class C subnet:

$ echo "+10.0.3.0-255" > /sys/packetshield/myinst/Other/b_sources

To add 11 consecutive IPs of the same range:

$ echo "+10.0.4.10-20" > /sys/packetshield/myinst/Other/b_sources

GUI

Use the statement <instance name>/<context id>/b_sources followed by the IP address or range.

To add a single host:

<instance name>/<context id>/b_sources 10.0.2.3

To add a whole class C subnet:

<instance name>/<context id>/b_sources 10.0.3.0-255

To add 11 consecutive IPs of the same range:

<instance name>/<context id>/b_sources 10.0.4.10-20

Remove an IP

Removing an IPv4 address in the middle of a range in the same class C network will split the range into two ranges.

sysfs

Write the IPv4 address or the range prefixed by the minus sign character (-) in the sysfs entry.

$ echo -10.0.3.100 > /sys/packetshield/myinst/Other/b_sources
$ echo -10.0.4.10-15 > /sys/packetshield/myinst/Other/b_sources

GUI

Remove the statement <instance name>/<context id>/b_sources <IP address> that matches the IP address or range.

If the IP address to remove is in the middle of an existing range, then provide the rules to follow.

To remove the IP address 10.0.3.100 from the subnet 10.0.3.0/24:

myinst/Other/b_sources 10.0.3.0-99
myinst/Other/b_sources 10.0.3.101-255

List IPs

This function is only available using the CLI.

sysfs

To list IPs currently configured in the source IP denylist, read the contents of the sysfs entry.

It displays one IP address or range on a class C network per line.

$ cat /sys/packetshield/myinst/Other/b_sources
10.0.2.3
10.0.3.10-20
10.0.4.0-255

Next up

Contexts