HAProxy ALOHA Documentation 15.5

Protected Ports

This setting enables the SYN cookie and the unmatched packet protection on the listed ports.

TCP ports

Several sysfs entries are available to enable this protection and can be used depending on the type of HAProxy ALOHA / PacketShield deployment:

  • /sys/packetshield/<instance name>/<context id>/p_tcp_ports

    When the TCP connection is locally terminated (i.e. when using HAProxy on HAProxy ALOHA).

  • /sys/packetshield/<instance name>/<context id>/x_tcp_ports

    When the TCP connection is terminated by a server behind HAProxy ALOHA and the synproxy mechanism is enabled on HAProxy ALOHA.

Define the port range.

  • A port range is defined by two numbers representing the lower and upper ports of the range separated by the minus sign character (-).

  • Port range is inclusive. It means that the lower and upper ports describing the range are included in the range when matching packets.

Add a TCP port

When you add a port or port range to the protected TCP ports list, it is removed from the allowlist.

sysfs

Write the port or range prefixed by the the plus sign character (+) in the sysfs entry

To protect ports 80 and 443 locally load-balanced by HAProxy:

$ echo "+80"  > /sys/packetshield/myinst/Other/p_tcp_ports
$ echo "+443" > /sys/packetshield/myinst/Other/p_tcp_ports

To protect ports 110, 995 and 1200 to 1250 routed through HAProxy ALOHA:

$ echo "+110" > /sys/packetshield/myinst/Other/x_tcp_ports
$ echo "+995" > /sys/packetshield/myinst/Other/x_tcp_ports
$ echo "+1200-1250" > /sys/packetshield/myinst/Other/x_tcp_ports

GUI

Write the port number or port range after the following statement <instance name>/<context id>/p_tcp_ports or <instance name>/<context id>/x_tcp_ports:

To protect ports 80 and 443 locally load-balanced by HAProxy:

<instance name>/<context id>/p_tcp_ports 80
<instance name>/<context id>/p_tcp_ports 443

To protect ports 110, 995 and 1200 to 1250 routed through HAProxy ALOHA:

<instance name>/<context id>/x_tcp_ports 110
<instance name>/<context id>/x_tcp_ports 995
<instance name>/<context id>/x_tcp_ports 1200-1250

Remove a TCP port

When you remove a port in the middle of a range, it splits the range into two ranges.

sysfs

Write the port or range prefixed by the minus sign character (-) in the sysfs entry.

To remove port range from 79 to 81 locally load-balanced by HAProxy:

$ echo "-79-81" > /sys/packetshield/myinst/Other/p_tcp_ports

To remove port 1250 for a traffic routed through HAProxy ALOHA:

$ echo "-1250" > /sys/packetshield/myinst/Other/x_tcp_ports

GUI

Remove the statement <instance name>/<context id>/p_tcp_ports <port number> or <instance name>/<context id>/x_tcp_ports <port number> that matches the port range you want to remove.

If the port to remove is in the middle of the range, then provide the rules to follow.

To remove the port 1225 from the range 1200-1250:

myinst/Other/p_tcp_ports 1200-1224
myinst/Other/p_tcp_ports 1226-1250

List protected TCP ports

This function is only available using the CLI.

To list TCP ports currently in the protected port list, read the content of the sysfs entry.

It displays one port or port range per line.

$ cat /sys/packetshield/myinst/Other/p_tcp_ports
80
443
$ cat /sys/packetshield/myinst/Other/x_tcp_ports
110
995
1200-1250

UDP ports

The sysfs entry /sys/packetshield/<instance>/<contextid>/p_udp_ports enables the SYN cookie and unmatched packet protection on the listed UDP ports for deployments where the QUIC protocol is supported.

Define the port range.

  • A port range is defined by two numbers representing the lower and upper ports of the range separated by the minus sign character (-).

  • Port range is inclusive. It means that the lower and upper ports describing the range are included in the range when matching packets.

Add a UDP port

When you add a port or port range to the protected UDP ports list, it is removed from the allowlist.

sysfs

Write the port or range prefixed by the the plus sign character (+) in the sysfs entry

To protect ports 80 and 443:

$ echo "+80"  > /sys/packetshield/myinst/Other/p_udp_ports
$ echo "+443" > /sys/packetshield/myinst/Other/p_udp_ports

GUI

Write the port number or port range after the following statement <instance name>/<context id>/p_udp_ports:

To protect ports 80 and 443:

<instance name>/<context id>/p_udp_ports 80
<instance name>/<context id>/p_udp_ports 443

Remove a UDP port

When you remove a port in the middle of a range, it splits the range into two ranges.

sysfs

Write the port or range prefixed by the minus sign character (-) in the sysfs entry.

To remove port range from 79 to 81:

$ echo "-79-81" > /sys/packetshield/myinst/Other/p_udp_ports

GUI

Remove the statement <instance name>/<context id>/p_udp_ports <port number> that matches the port range you want to remove.

If the port to remove is in the middle of the range, then provide the rules to follow.

To remove the port 1225 from the range 1200-1250:

myinst/Other/p_udp_ports 1200-1224
myinst/Other/p_udp_ports 1226-1250

List protected UDP ports

This function is only available using the CLI.

To list UDP ports currently in the protected port list, read the content of the sysfs entry.

It displays one port or port range per line.

$ cat /sys/packetshield/myinst/Other/p_udp_ports
80
443

Next up

Single Sign-on