Technical Documentation

PortShield
by Valtrix

A reverse proxy and DDoS mitigation service for any TCP or UDP application. Masks your origin server, absorbs volumetric attacks at the edge, and forwards only clean traffic to your infrastructure. No HTTP required. Any protocol, any port, any application.

1 Tbps
Mitigation capacity
< 20 ms
Latency overhead
TCP + UDP
Full L4 coverage
Any port
1 to 65535
Rev 2.1 June 2026 Valtrix
Overview
The L3/L4 DDoS landscape and what PortShield does about it

Today, an increasing number of organisations are subject to Layer 3 and Layer 4 (L3/L4) DDoS attacks targeting their internet-facing infrastructure. It is not just web servers under attack. Game servers, SSH and RDP access points, VPN concentrators, file transfer services, IoT endpoints, and any other application that communicates over TCP or UDP has become a frequent target for volumetric floods, reflection attacks, and protocol exploitation.

Traditional network-level DDoS scrubbing protects IP prefixes but offers no per-application control, no origin masking, and no service-aware filtering. Web application firewalls (WAFs) and CDNs protect HTTP traffic but cannot proxy arbitrary protocols. The gap between those two approaches is exactly where PortShield operates.

PortShield by Valtrix is a reverse proxy service that provides DDoS protection for any application running over TCP or UDP. Services such as game servers, SSH, RDP, VPN, MQTT, FTP, VoIP, custom trading protocols, and IoT telemetry can all use PortShield to mask the origin server, protect it from L3/L4 DDoS attacks, and add per-port access controls without modifying the application itself.

The attack surface problem

When a server's IP address is publicly reachable, it is permanently exposed to reconnaissance and attack. Attackers scan the entire IPv4 space in under an hour using widely available tools. Once your origin IP is known, it can be targeted directly, bypassing any upstream protections you have in place. Rate limits, cloud provider DDoS scrubbing, and upstream ISP filtering all operate at the IP level. None of them hide your origin.

PortShield solves this by moving the publicly reachable address to an edge node. Your clients connect to the edge, not to your server. Your server's IP is never advertised in DNS, never appears in connection logs on the client side, and can be completely locked down at the network level to only accept traffic from PortShield edge node IPs. Attackers have no origin to target directly.

What PortShield is not

PortShield is not a web application firewall and it is not a CDN. It does not cache content, does not terminate TLS, does not parse HTTP headers, and does not inspect application-layer payloads. It operates purely at Layer 4, which means it is compatible with encrypted protocols, proprietary binary protocols, and any application that does not use HTTP. The trade-off is that PortShield cannot block application-layer attacks such as HTTP floods or SQL injection. For those threats, a WAF should be layered in front of the application separately.

Key capabilities

  • Reverse proxy for any TCP or UDP application with origin IP masking
  • L3/L4 DDoS absorption up to 1 Tbps per edge region
  • Dual-tier mitigation: centralized detection plus autonomous edge-local filtering
  • Per-port IP firewall with CIDR-based allowlists and blocklists enforced at the edge
  • Service-specific filtering profiles with protocol-aware heuristics
  • Configurable per-port rate limiting (PPS and Mbps caps)
  • Subnet-level batch protection: cover an entire /24 IP block in a single operation
  • Per-account Prometheus metrics endpoint for Grafana and alerting integration
  • Full REST API for automation, CI/CD pipelines, and infrastructure-as-code workflows
  • Zero-downtime rule propagation to all edge nodes in real time
How PortShield Works
Traffic flow, connection proxying, and the edge network

When a request to a TCP or UDP application arrives, it first hits the closest PortShield edge node. The edge node checks the source IP against the port's firewall rules, validates the traffic against the configured service profile, applies any rate limits, and then proxies clean connections to the origin server over a direct tunnel. The full connection state is maintained on the edge node so the application on the origin side sees a normal TCP or UDP connection.

End-to-end traffic path

Connection lifecycle for a protected TCP application
# 1. Client's DNS resolves the protected hostname to the edge node
ssh.example.com  IN  CNAME  prt-02-oc-d1.valtrix.one
prt-02-oc-d1.valtrix.one  IN  A  206.206.77.180

# 2. Client connects to the edge port
Client (internet)  --TCP SYN-->  206.206.77.180:14200

# 3. Edge node processes the connection
Edge Node (prt-02-oc-d1.valtrix.one)
  Step 1: Match source IP against ACL rules
          - If allowlist is configured: drop if source is not allowed
          - If blocklist is configured: drop if source is explicitly blocked
  Step 2: Validate against service profile (e.g. SSH SYN-flood heuristics)
  Step 3: Check rate limits (PPS cap, Mbps cap)
  Step 4: Open proxied connection to origin

# 4. Clean traffic reaches your server
Edge Node  --TCP-->  203.0.113.5:22  (your origin, hidden from internet)

Platform components

PortShield has two main components that work together:

Control panel

The web-based management interface and API server. Handles user authentication, stores port and firewall rule configurations, and pushes rule changes to edge nodes in real time. Also exposes the Prometheus metrics endpoint, aggregating traffic data from each port's counters. The panel communicates with edge nodes over an authenticated, encrypted control channel.

Edge agent

A stateless, purpose-built proxy process running on each protection node. It operates entirely in user space with no dependency on iptables or kernel modules. Rules are hot-loaded: when a rule changes in the panel, the edge agent applies it within seconds without interrupting existing connections. If the panel is temporarily unreachable, edge agents continue enforcing the last known rule set independently.

Edge network regions

🇸🇬
Asia (Singapore)
Singapore, SG
Capacity: 800 Gbps
Port range: 10000 to 59999
Type: Standard
🇩🇪
Europe (Frankfurt)
Frankfurt, Germany
Capacity: 1 Tbps
Port range: 10000 to 59999
Type: Standard
🌐
Premium (Anycast)
Global anycast routing
Capacity: 1 Tbps
Port range: 1 to 65535
Type: Premium

When you create a protected port, the panel assigns it to the tunnel region you selected and returns an edge port number and a CNAME hostname. That hostname resolves to the edge node's IP. Your clients connect to the hostname and edge port. The edge port is permanent for the lifetime of the rule.

Rule propagation: when you create, modify, or delete a protection rule in the panel, the change is pushed to the relevant edge node and becomes active within a few seconds. There is no restart, no re-routing of existing connections, and no sync window during which old rules apply.
DDoS Mitigation Engine
How PortShield detects and absorbs attacks at the edge

PortShield uses a dual-tier mitigation architecture. Attacks are handled at both the edge node level and the network level, so that large volumetric floods are absorbed before they reach the proxy layer and sophisticated protocol-exploitation attacks are caught by service-aware heuristics running on the edge agents themselves.

Tier 1 • Network level
Volumetric Absorption
Large-scale floods (UDP amplification, ICMP floods, SYN floods at high PPS) are absorbed at the network carrier level before packets reach the edge agent process. Each PortShield region is connected to upstream transit with dedicated scrubbing capacity. Traffic that is absorbed at this layer does not count toward your monthly quota because it never enters the proxy pipeline.
Tier 2 • Application level
Protocol-Aware Filtering
The edge agent applies service-specific heuristics to every connection. For TCP services, this includes SYN rate limiting, connection state validation, and handshake inspection. For UDP services, this includes session tracking, packet size validation, and source IP reputation checking. Attacks that exploit protocol behaviour, such as Minecraft join floods or TeamSpeak status floods, are caught and dropped here without affecting legitimate connections.

Attack types handled

Attack category Examples Mitigation tier
UDP volumetric flood UDP Flood, UDP Random Flood, Mirai Variant, UDPMIX Flood, 0xFF Flood Network (Tier 1) + rate limiting
UDP amplification / reflection DNS amplification, NTP amplification, SSDP reflection Network (Tier 1)
TCP SYN flood SYN Flood, TCP ACK Flood, TCP Reset Flood Protocol filtering (Tier 2)
TCP state exhaustion TCP Socket Exhaustion, TCP STOMP Flood, Connection flood Protocol filtering (Tier 2)
Application-layer protocol abuse Minecraft join flood, TeamSpeak status flood, FiveM query flood Service profile (Tier 2)
Source IP spoofing Spoofed UDP floods, reflection attacks using spoofed source Network (Tier 1) + session tracking

What happens to your traffic during an attack

When a volumetric attack hits a protected port, the edge node's carrier-level scrubbing absorbs the flood. Legitimate connections from allowed source IPs continue to be proxied normally on the same edge port during the attack. There is no failover, no port change, and no client-visible disruption as long as the attack volume stays within the region's rated capacity.

For protocol-level attacks, the edge agent drops malformed or flagged packets per the active service profile while continuing to forward clean connections. The attack log in the panel records each mitigated attack event with timestamps, peak throughput, estimated source IP count, and attack type classification.

Attack traffic does not count toward your monthly quota. Only clean traffic that is successfully forwarded to your origin counts. Traffic absorbed and dropped by the mitigation engine is excluded from billing calculations.
Comparison to Cloudflare Spectrum
How PortShield relates to the most recognised product in this category

Cloudflare Spectrum is the most widely recognised TCP/UDP application proxy service. PortShield by Valtrix operates in the same product category: both are reverse proxies that handle any TCP or UDP application, mask origin IPs, and provide L3/L4 DDoS protection. Neither service requires the protected application to speak HTTP.

The table below covers the major feature differences. PortShield includes several capabilities that Spectrum does not offer in its standard tier, including per-port IP firewall rules, a private Prometheus metrics endpoint, and subnet-level batch provisioning. Cloudflare's advantage is global reach across 300+ data centres, which PortShield does not currently match at the same scale.

FeaturePortShield by ValtrixCloudflare Spectrum
Protocol support TCP, UDP, TCP/UDP TCP, UDP
DDoS absorption Up to 1 Tbps per region 500 Tbps global capacity
Per-port IP firewall Yes, CIDR allowlist and blocklist per port Available via IP Firewall integration
Prometheus metrics Private per-account endpoint, Grafana-ready Not included
Subnet /24 batch provisioning Yes, 256 rules in one API call No
Service-specific filtering profiles Game servers, SSH, RDP, VoIP, custom L4 proxy with Gatebot / dosd
Per-port rate limiting Configurable PPS and Mbps caps per port Available at network level
Port range Any port 1 to 65535 Ports 1 to 65535 (Enterprise)
REST API Full provisioning and configuration API Yes
Edge network Singapore, Frankfurt, Premium anycast 300+ cities globally
TLS / payload inspection None. Payload is never read or stored. Optional TLS termination available
Payment Account code, no credit card required Credit card or enterprise contract
PortShield is well-suited for regulated environments where a third party must not decrypt or store payload content. Because PortShield operates strictly at Layer 4 and never reads application data, it satisfies data sovereignty requirements that disallow third-party payload access.
IP Firewall
Per-port source IP allowlists and blocklists with CIDR support

PortShield includes a completely software-defined IP firewall that is configured per protected port, directly from the dashboard or the API. You can allow or deny individual IP addresses or CIDR ranges to control which sources can reach your application through the proxy. Rules are enforced on the edge agent before any traffic is forwarded to your origin, so blocked connections never consume origin server resources.

Operating modes

The firewall operates in one of two modes depending on which rule types are present:

ModeActivates whenEffect
Allowlist One or more allow rules are configured Only traffic from explicitly allowed CIDRs is forwarded. All other sources are silently dropped at the edge before the connection reaches the proxy.
Blocklist Only block rules are configured, no allow rules Traffic from blocked CIDRs is dropped. All other sources are forwarded normally.

CIDR notation

CIDRScopeTypical use
203.0.113.5/321 addressSingle workstation or server
203.0.113.0/24256 addressesOffice subnet or VPS range
10.8.0.0/1665,536 addressesVPN client pool
10.0.0.0/816,777,216 addressesAll RFC 1918 10.x private space
0.0.0.0/0All IPv4Allow all or block all

Example: restrict an SSH endpoint to known sources

ACL configuration for a management SSH endpoint
# Adding at least one allow rule activates allowlist mode.
# All other internet traffic is dropped at the edge.

allow  192.168.10.0/24   # Office internal network
allow  10.8.0.0/16        # VPN client pool
allow  203.0.114.5        # Individual admin workstation

# Result: only these three CIDR ranges can connect through the edge.
# An attacker who knows the edge port gets a silently dropped connection.

Adding rules via the API

POST /api/ports/:id/acl
curl -b cookies.txt -X POST https://portshield.valtrix.one/api/ports/pp-abc/acl \
  -H "Content-Type: application/json" \
  -d '{
    "cidr":   "192.168.10.0/24",
    "action": "allow",
    "note":   "Office network"
  }'
ACL rule changes propagate to all edge nodes in real time. There is no delay and no restart. Existing legitimate connections are preserved; connections from newly blocked sources are closed within a few seconds of the rule taking effect.
Prometheus Metrics
Per-account traffic monitoring with Grafana integration

PortShield exposes a private Prometheus-compatible metrics endpoint for each account. The endpoint returns traffic counters, connection counts, and port status data scoped exclusively to the authenticated account's ports. No other user can access your metrics endpoint, and you cannot access another account's endpoint. The API key embedded in the URL is unique per account and cannot be reused across accounts.

Point any Grafana instance at your endpoint URL to build real-time dashboards. A pre-built dashboard JSON is available for download from the Grafana Metrics page in the panel. It includes panels for bandwidth per port, active connection counts, total traffic aggregates, and a protected ports status overview.

Available metrics

MetricTypeDescription
valtrix_bytes_in_totalcounterTotal bytes received through the edge proxy for this port. Use rate() over a time window to derive bits-per-second bandwidth.
valtrix_bytes_out_totalcounterTotal bytes forwarded back to clients through the edge proxy.
valtrix_active_connectionsgaugeCurrent number of active proxied connections to this port at scrape time.
valtrix_connections_todaygaugeTotal number of connections accepted since midnight UTC.
valtrix_port_statusgauge1 if the port rule is active and proxying, 0 if the rule has been disabled.

All metrics carry labels: port_id, label, protocol, tunnel, origin.

Setting up Grafana in four steps

1

Get your endpoint URL

Open the Grafana Metrics page in the panel sidebar. Your full datasource URL is shown at the top. The API key is embedded in the URL as a query parameter. Copy the entire URL.

2

Add a Prometheus datasource in Grafana

Go to Configuration > Data Sources > Add data source, select Prometheus, and paste your full URL into the URL field. Leave all other settings at their defaults.

3

Set the scrape interval

Under Interval behaviour, set Scrape interval to 30s. Click Save and Test. A green confirmation message means Grafana successfully scraped your endpoint.

4

Import the pre-built dashboard

Download the ValtrixShield dashboard JSON from the Grafana Metrics page. In Grafana, go to Dashboards > Import, upload the file, select your datasource when prompted, and click Import. Your dashboard is immediately populated with live data.

Useful PromQL queries

Inbound bandwidth per port in bits per second
rate(valtrix_bytes_in_total[2m]) * 8
Combined inbound and outbound bandwidth across all ports
sum(rate(valtrix_bytes_in_total[2m]) + rate(valtrix_bytes_out_total[2m])) * 8
Only show ports with at least one active connection
valtrix_active_connections > 0
Alert when a port goes inactive
valtrix_port_status == 0
Subnet /24 Batch Protection
Covering an entire IP block in one operation, and when not to

The subnet /24 batch feature creates one protection rule for every IP address in a given /24 CIDR block. All 256 rules share the same port number, protocol, service profile, and tunnel region, and each rule receives its own unique edge port. The operation runs as a single API call or panel form submission.

This feature is not appropriate for most /24 blocks. Most IP ranges do not have all 256 addresses actively serving the same public-facing port. Using batch mode on a typical network wastes 256 port quota slots on rules that point at offline, internal, or non-existent hosts. Always prefer individual port protection for specific servers. Use batch mode only when you can confirm that every IP in the range genuinely has the target port open and reachable from the internet.

When batch mode is justified

  • A hosting provider that has allocated a dedicated /24 to game nodes where every node exposes the same UDP port
  • An operations team running a dense server cluster where all machines in the /24 have the same management port open to the internet and all nodes are active
  • An anycast or load-balanced cluster where every IP in the block serves the same application on the same port simultaneously

How batch provisioning works

Example: protect port 22/TCP across an entire /24 cluster
# Input
Subnet CIDR:  10.20.0.0/24
Origin Port:  22
Protocol:     TCP
Service Type: ssh-sftp
Label Prefix: SSH Cluster

# Result: 256 rules created, each with its own edge port
SSH Cluster (10.20.0.0)    -> :14300
SSH Cluster (10.20.0.1)    -> :14301
SSH Cluster (10.20.0.2)    -> :14302
# ...
SSH Cluster (10.20.0.255)  -> :14555

API call

POST /api/ports/batch (subnet mode)
curl -b cookies.txt -X POST https://portshield.valtrix.one/api/ports/batch \
  -H "Content-Type: application/json" \
  -d '{
    "mode":        "subnet",
    "cidr":        "10.20.0.0/24",
    "tunnelId":    "t-as-1",
    "originPort":  22,
    "protocol":    "TCP",
    "serviceType": "ssh-sftp",
    "label":       "SSH Cluster"
  }'
Subnet batch protection requires the Subnet Access permission to be enabled for your account by an administrator. The feature consumes 256 port slots from your plan quota. Contact support before running a batch if you are close to your plan limit.
Rate Limiting
Configurable per-port PPS and throughput caps

PortShield supports configurable per-port rate limiting for both TCP and UDP traffic. Rate limits are enforced at the edge agent and operate independently of the service profile. You can set a packets-per-second (PPS) cap, a throughput cap in megabits per second (Mbps), or both. Traffic that exceeds either threshold is dropped silently at the edge before it reaches your origin.

Rate limiting is useful when you want to cap resource consumption for a specific port regardless of attack conditions, protect a shared host from one tenant consuming all available capacity, or enforce a contractual bandwidth limit per client.

Configuring rate limits

Select rate-limit-tcp or rate-limit-udp as the service type when creating or editing a protected port. Two additional fields appear:

FieldUnitBehaviour when set to 0
PPS LimitPackets per secondPPS cap is disabled; only Mbps cap applies if set
BPS LimitMegabits per secondThroughput cap is disabled; only PPS cap applies if set
Example: UDP game port capped at 100 Mbps and 50,000 pps
Protocol:     UDP
Service Type: rate-limit-udp
PPS Limit:    50000   # packets/sec; 0 to disable
BPS Limit:    100     # megabits/sec; 0 to disable

# Effect: any burst above 100 Mbps or 50,000 pps is dropped.
# Legitimate traffic below the threshold passes through unmodified.
Service Profiles
Protocol-aware filtering heuristics per application type

Each protected port is assigned a service profile that tells the edge agent which application-level heuristics to apply when processing traffic. Selecting the correct profile significantly improves mitigation accuracy. A generic TCP pass-through profile will forward all SYN packets regardless of rate; an SSH-specific profile will apply connection rate limiting and SYN flood detection tuned for SSH connection patterns.

Protocol selection

Only select TCP/UDP if your application genuinely requires both protocols on the same port number. Selecting it when only one protocol is needed creates two proxy listeners per rule and consumes double the edge resources. For the vast majority of applications, TCP or UDP alone is correct.

Available service profiles

Profiles are grouped by category. Choose the most specific profile available for your application. The more specific the profile, the more accurate the attack detection.

Pass-through and rate limiting

Profile IDProtocolApplicationFiltering approach
no-protectionTCP/UDPAny (pass-through)Stateless pass-through. No filtering, no rate limiting, no connection inspection. Use only for applications with their own upstream protection or where you need zero proxy overhead.
rate-limit-synackTCPAny TCP applicationSYN/ACK rate cap. Drops new connection attempts that exceed the configured PPS threshold before the handshake completes. No deep packet inspection.

Infrastructure and management access

Profile IDProtocolApplicationFiltering approach
ssh-sftpTCPSSH, SFTPSYN flood detection, per-source connection rate limiting, SSH banner-grab flood mitigation.
ssh-premiumTCPSSH (enhanced)All ssh-sftp protections plus deep SSH handshake state validation, adaptive per-source throttling, and brute-force connection pattern detection.
rdpTCPRemote Desktop ProtocolRDP negotiation flood mitigation, connection state throttle per source IP.
mysqlTCPMySQL / MariaDBMySQL handshake state validation, connection flood protection, SYN flood detection.
rconTCPSource Engine RCONRCON authentication state tracking, per-source connection throttle to mitigate brute-force connection floods.

Web

Profile IDProtocolApplicationFiltering approach
web-serverTCPHTTP / HTTPSTCP connection flood protection, connection state validation. Does not inspect HTTP payloads. Pair with a WAF for application-layer protection.

VPN and tunneling

Profile IDProtocolApplicationFiltering approach
openvpn-tcpTCPOpenVPN (TCP mode)OpenVPN TLS negotiation state tracking, connection flood mitigation. Use only when your OpenVPN server is configured in TCP mode.
wireguard-tcpTCPWireGuard (TCP wrapper)Lightweight TCP pass-through tuned for WireGuard-over-TCP encapsulation. Applies SYN flood detection with minimal inspection overhead.

Game servers

Profile IDProtocolApplicationFiltering approach
minecraftTCP/UDPMinecraft (Java + Bedrock)Java Edition: handshake state validation and join-flood detection (TCP). Bedrock / PE: RakNet session tracking and ping-flood detection (UDP). Covers both editions in a single rule.
steamUDPSteam Source EngineSource Engine protocol validation, A2S query flood protection. Covers any Source Engine game not listed individually below.
fivemTCP/UDPFiveM (GTA V)Dual-protocol session handling covering FiveM resource downloads (TCP) and game state (UDP) on the same port. Query flood protection.
csgoUDPCounter-Strike GO / CS2Source Engine protocol validation with CS-specific A2S query flood patterns. Tuned for CS traffic timing and packet size distribution.

Additional game profiles are available in the panel. Contact support if your specific game title is not listed.

Generic proxies

Profile IDProtocolApplicationFiltering approach
generic-tcpTCPAny TCP applicationGeneric TCP proxy with SYN flood detection and per-source connection limiting. Use when no specific profile matches your application.
generic-udpUDPAny UDP applicationGeneric UDP proxy with source session tracking and configurable PPS cap. Use when no specific profile matches your application.
REST API
Full programmatic access to provisioning, configuration, and monitoring

Every operation available in the panel is also available through the PortShield REST API. Use it to automate port provisioning during server deployments, integrate with internal ticketing and monitoring systems, or manage large numbers of protected ports through infrastructure-as-code tooling such as Terraform or Ansible.

Base URL: https://portshield.valtrix.one
Auth: cookie-based session. Call POST /api/auth/login first. Pass the cookie on subsequent requests.
Errors: {"error": "message"} with the appropriate HTTP status code (400, 401, 403, 404, 422).

Endpoint reference

Authentication

POST
/api/auth/login
Authenticate and receive a session cookie. Body: {"email":"...","password":"..."}
GET
/api/auth/me
Returns the current user profile: id, email, role, plan, apiAccess, subnetAccess.
POST
/api/auth/logout
Destroys the session cookie.

Protected Ports

GET
/api/ports
List all protected ports for your account with live traffic counters.
POST
/api/ports
Create a protected port. Returns assigned edge port and CNAME target.
GET
/api/ports/:id
Get a specific port by ID.
PATCH
/api/ports/:id
Update port status. Body: {"status":"active"} or {"status":"inactive"}
DELETE
/api/ports/:id
Delete a port and release its edge port back to the pool.
POST
/api/ports/batch
Batch-create ports. Set "mode":"subnet" for /24 expansion. Requires subnetAccess permission.

IP Firewall

GET
/api/ports/:id/acl
List all ACL rules for a port.
POST
/api/ports/:id/acl
Add a rule. Body: {"cidr":"x.x.x.x/24","action":"allow","note":"..."}
DELETE
/api/ports/:portId/acl/:ruleId
Delete a specific ACL rule by ID.

Domains and Logs

GET
/api/domains
List assigned CNAME hostnames for your account.
GET
/api/attacks
Retrieve DDoS attack event logs with peak Gbps, source IP count, duration, and type.
GET
/api/tunnels
List all edge regions with status, capacity, and current load. No auth required.
GET
/api/metrics?key=<key>
Prometheus text format metrics scoped to the account matching the API key. No session cookie needed.

Full example: provision a port and add ACL rules

Complete provisioning workflow
# Step 1: authenticate
curl -c cookies.txt -X POST https://portshield.valtrix.one/api/auth/login \
  -H "Content-Type: application/json" \
  -d '{"email":"you@example.com","password":"yourpassword"}'

# Step 2: create the protected port
curl -b cookies.txt -X POST https://portshield.valtrix.one/api/ports \
  -H "Content-Type: application/json" \
  -d '{
    "originIp":    "203.0.113.5",
    "originPort":  22,
    "protocol":    "TCP",
    "serviceType": "ssh-sftp",
    "label":       "Primary SSH",
    "tunnelId":    "t-as-1"
  }'

# Response includes the edge port and CNAME target
# { "id":"pp-abc", "edgePort":14200, "cnameTarget":"prt-02-oc-d1.valtrix.one", ... }

# Step 3: restrict access to known IP ranges (activates allowlist mode)
curl -b cookies.txt -X POST https://portshield.valtrix.one/api/ports/pp-abc/acl \
  -H "Content-Type: application/json" \
  -d '{"cidr":"192.168.10.0/24","action":"allow","note":"Office"}'

curl -b cookies.txt -X POST https://portshield.valtrix.one/api/ports/pp-abc/acl \
  -H "Content-Type: application/json" \
  -d '{"cidr":"10.8.0.0/16","action":"allow","note":"VPN clients"}'

# Step 4: update DNS (in your DNS provider)
# ssh.example.com. 3600 IN CNAME prt-02-oc-d1.valtrix.one.

# Step 5: lock down your origin server firewall
# Only accept connections from the PortShield edge node IP on port 22
Quick Start
Protect your first port in under two minutes
1

Log in to the panel

Navigate to your panel URL and sign in. If you do not have an account, ask your administrator to create one from the User Management section.

2

Add a protected port

Go to Protected Ports in the sidebar and click Add Port. Enter your origin IP and port, select the protocol and service profile that matches your application, and choose a tunnel region.

Example: protecting an SSH server on port 22
Origin IP:    203.0.113.5
Origin Port:  22
Protocol:     TCP
Service Type: ssh-sftp
Label:        Primary SSH
Tunnel:       Asia (Singapore)

# Assigned by PortShield:
Edge Port:    :14200
CNAME Target: prt-02-oc-d1.valtrix.one
3

Update your DNS

Add a CNAME record pointing your service hostname to the CNAME target shown in the panel. Set a low TTL (e.g. 300) when testing so changes take effect quickly.

DNS zone entry
ssh.example.com.  3600  IN  CNAME  prt-02-oc-d1.valtrix.one.
4

Lock down your origin firewall

Update your server's firewall to only accept inbound connections on the protected port from PortShield edge node IPs. This is the critical step that prevents attackers from bypassing the edge by targeting your origin IP directly.

5

Optionally add IP firewall rules

Open the ACL editor for your port and add allow rules for known source IP ranges. Once any allow rule is added, all other sources are blocked at the edge automatically.

Protocol Guide
Choosing between TCP, UDP, and TCP/UDP

Selecting the correct protocol is important. Choosing TCP/UDP when only one is needed creates two proxy listeners per rule and wastes edge capacity. The following table covers the most common applications and the correct protocol selection for each.

ApplicationProtocolProfileNotes
SSH / SFTPTCPssh-sftpAlways TCP only. SSH does not use UDP. Use ssh-premium for management access you want extra protection on.
RDPTCPrdpTCP only for standard RDP connections.
MySQL / MariaDBTCPmysqlTCP only. Pair with an IP allowlist; database ports should never be open to arbitrary internet sources.
Source Engine RCONTCPrconTCP only. Always pair with an IP allowlist to restrict access to admin IPs.
HTTP / HTTPSTCPweb-serverTCP only. Use this for non-web-app services. For applications with HTTP-layer threats, layer a WAF separately.
Minecraft (Java + Bedrock)TCP/UDPminecraftThe combined minecraft profile handles both Java (TCP) and Bedrock (UDP) simultaneously. Use TCP/UDP as the protocol.
Counter-Strike GO / CS2UDPcsgoSource engine uses UDP for game traffic and A2S queries. Use the steam profile for other Source Engine games.
FiveM (GTA V)TCP/UDPfivemFiveM uses TCP for resource downloads and UDP for game state on the same port number. One of the few genuinely justified TCP/UDP cases.
OpenVPN (TCP mode)TCPopenvpn-tcpUse only when your OpenVPN server is configured in TCP mode. If your server uses UDP, use the generic-udp or no-protection profile instead.
WireGuard (TCP wrapper)TCPwireguard-tcpFor WireGuard running over a TCP wrapper such as udp2raw or wstunnel. Native WireGuard (UDP/51820) is not supported through this profile.
Custom / proprietary TCPTCPgeneric-tcpUse when no specific profile matches. Applies SYN flood detection and per-source connection limiting without deep inspection.
Custom / proprietary UDPUDPgeneric-udpUse when no specific profile matches. Applies session tracking and a configurable PPS cap without protocol parsing.
DNS Setup
Routing client connections to the protected edge node

After adding a protected port, the panel provides a CNAME target hostname. Clients must connect to this hostname (and the assigned edge port) instead of your origin server IP. You achieve this by adding a CNAME record in your DNS zone.

CNAME record (recommended)

DNS zone examples for different application types
# SSH management access
ssh.example.com.     3600  IN  CNAME  prt-02-oc-d1.valtrix.one.

# Game server
play.example.com.    300   IN  CNAME  sg-01-oc-d1.valtrix.one.

# VPN endpoint
vpn.example.com.     3600  IN  CNAME  eu-01-xx0d2-c1.valtrix.one.

# Multiple services behind the same edge node
rdp.example.com.     3600  IN  CNAME  prt-02-oc-d1.valtrix.one.
sftp.example.com.    3600  IN  CNAME  prt-02-oc-d1.valtrix.one.

Resolving to a static IP (testing only)

Resolve the CNAME to an IP for short-term testing
dig +short prt-02-oc-d1.valtrix.one
# 206.206.77.180

# Then connect directly to the IP (not recommended for production)
ssh user@206.206.77.180 -p 14200
Edge node IP addresses can change during maintenance or capacity events. Using a static IP is only suitable for short-term testing. Always use the CNAME hostname in production so IP changes are transparent to your clients and do not require DNS updates on your side.

Before and after

SSH connection before and after adding PortShield
# Before: direct connection to origin (IP publicly reachable)
ssh admin@203.0.113.5 -p 22

# After: connection routed through PortShield edge
ssh admin@ssh.example.com -p 14200

# Your origin IP 203.0.113.5 is now invisible to clients and attackers.
# Lock your server firewall to only accept from the edge node IP.
Use Cases
How organisations use PortShield to protect their infrastructure

PortShield is applied across a wide range of industries and application types. Below are representative scenarios illustrating how different operators configure and benefit from the service.

🔐
Protecting management access at a multi-server hosting provider

A hosting provider operating hundreds of dedicated servers needed to protect SSH access across its entire fleet without exposing individual server IPs to the internet. Each server's SSH port (22/TCP) was added to PortShield under the ssh-sftp profile. An IP allowlist was configured per server to restrict access to the provider's internal operations team IP range and their VPN client pool.

The result: SSH access to every server in the fleet is now mediated through the edge. No server IP appears in client-side DNS. SYN flood attacks against the SSH ports are absorbed at the edge before they reach the servers. The operations team's workflow is unchanged since they connect via the CNAME hostnames.

🎮
Defending a game server network against UDP flood attacks

A game hosting network running Minecraft and FiveM servers was experiencing frequent UDP flood attacks that took individual nodes offline for minutes at a time. The attacks were volumetric, ranging from 5 to 80 Gbps, sourced from rented botnets.

After adding each game server to PortShield using the matching service profile (mc-bedrock for Bedrock servers, fivem for FiveM), the attack traffic is absorbed at the edge. The game servers receive only clean, proxied connections. Players connect using the CNAME hostnames and the assigned edge ports, which did not change after a rotation of server IPs following a hardware replacement.

🏢
Securing remote access for a distributed enterprise

An organisation with staff distributed across multiple countries needed to secure RDP and VPN access to its internal systems without using a hardware appliance at each site. Each access endpoint (RDP on TCP/3389, WireGuard on UDP/51820) was added to PortShield. IP allowlists were configured per port to restrict access to the corporate VPN exit IPs and approved office subnets.

The Prometheus metrics endpoint was integrated into the organisation's existing Grafana instance. Connection count dashboards now show real-time visibility into how many staff are connected to each access point. Grafana alerts fire when the connection count on the RDP port exceeds the expected threshold, flagging potential credential stuffing attempts before the origin server logs show any unusual login patterns.

🌐
Protecting IoT and custom protocol endpoints

An IoT platform receiving telemetry from thousands of field devices over a custom UDP binary protocol was exposed to amplification attacks that disrupted data ingestion. The platform's collection endpoint was added to PortShield using the rate-limit-udp profile with a per-port PPS cap tuned to the expected device throughput.

Attack traffic exceeding the PPS cap is dropped at the edge before it reaches the collection backend. Legitimate device telemetry, which operates well below the cap, passes through with no modification. The origin IP was removed from DNS entirely; devices were reconfigured to connect to the CNAME hostname and edge port. Attack frequency dropped to near zero once the origin IP was no longer publicly routable.

Benefits of Using PortShield
The three core advantages of L4 application proxying

Robust security without origin exposure

PortShield's edge network absorbs L3/L4 DDoS attacks at the carrier level. Your origin IP is hidden from the internet entirely. Even if an attacker discovers your edge port, they cannot bypass the IP firewall or reach your origin directly. Attacks that exceed the edge's rated capacity trigger automatic upstream scrubbing before packets reach the proxy layer.

No application changes required

PortShield is a transparent proxy. Your application does not need to be modified, recompiled, or reconfigured. The only change is that your clients connect to the CNAME hostname and edge port instead of your origin directly. The application on the origin side receives a normal TCP or UDP connection and has no awareness that a proxy is in the path.

Onboard in minutes, automate everything

Adding a new protected port takes under a minute in the panel and under two API calls programmatically. The REST API supports full lifecycle management. Every feature available in the dashboard is exposed as an API endpoint, making PortShield easy to embed into automated server provisioning workflows, CI/CD pipelines, and Terraform or Ansible configurations.

Security and Compliance
Data handling, access controls, and what PortShield does and does not inspect

What PortShield inspects

PortShield operates at Layer 4 only. It inspects source and destination IP addresses, source and destination ports, TCP flags, packet sizes, and packet rates. It does not read, store, modify, or forward copies of application-layer payload content. For TCP connections, it maintains connection state (SYN, ESTABLISHED, FIN) without reading what data is transmitted inside the connection.

This means PortShield is compatible with end-to-end encrypted protocols. Whether your application uses TLS, WireGuard, SSH, or a custom proprietary encryption scheme, the payload remains opaque to the proxy. PortShield never terminates encryption and never holds decryption keys.

Data handling

  • Port configurations, traffic counters, and attack event metadata are stored in a PostgreSQL database on the panel server
  • Traffic counters record byte totals and connection counts per port, not payload samples
  • Attack logs record timestamps, peak throughput, estimated source IP count, and attack type classification, not packet captures
  • Session cookies are HTTP-only and cannot be read by client-side JavaScript
  • Passwords are hashed and never stored in plaintext
  • Prometheus API keys are derived via HMAC-SHA256, scoped to one account, and do not require a separate database column

Access control model

Role or permissionAccess scope
AdminFull access to all accounts, ports, users, and system configuration
UserAccess limited to own ports, domains, attack logs, and metrics
API access flagGrants access to the API documentation page. Controlled per account by admin.
Subnet access flagGrants access to the /24 batch protection feature. Controlled per account by admin.
Prometheus API keyHMAC-signed token scoped to one account. Grants read-only access to that account's metrics only.

Panel and edge communication

All management traffic between your browser and the panel is encrypted with TLS 1.3. Edge nodes and the control panel communicate over an authenticated, encrypted control channel. Client traffic is strictly separated from control-plane communication. Protection rules remain fully active on edge nodes even if the panel is temporarily offline because agents operate independently after initial configuration.

Organisations that require a formal security assessment, threat model document, or architecture diagram for compliance purposes should contact support@valtrix.one.
Support and SLA
Getting help, planned maintenance, and service commitments

Contacting support

General support

support@valtrix.one

Response within 24 hours. Include your account email and affected port IDs.

Enterprise

support@valtrix.one

4-hour response target, custom SLA, dedicated bandwidth, and capacity contracts.

Planned maintenance

Edge agent updates are deployed in a rolling fashion, one node at a time. Each node being updated drains existing connections over a 30-second graceful window before the process restarts. Traffic is not interrupted for clients connected to other nodes during a rolling update. Panel maintenance windows are announced at least 48 hours in advance by email. During a panel outage, all existing protection rules remain fully active on edge nodes because agents operate independently of the panel.

Traffic and billing

  • Each plan includes a monthly traffic quota. Usage above the quota is billed at the per-GB overage rate shown in the tunnel selector.
  • Attack traffic absorbed and dropped by the mitigation engine does not count toward your monthly quota. Only successfully forwarded clean traffic is metered.
  • Payment is processed via Valtrix Account Code issued by our team. No credit card is required.
  • Bank transfer and manual invoice are also accepted. Contact support to arrange.
  • Custom contracts with dedicated bandwidth allocation, dedicated node capacity, or enhanced SLA terms are available. Contact support@valtrix.one.
PortShield by Valtrix, Technical Documentation, Rev 2.1, June 2026 Valtrix