# Armor configuration templates Each armor covers one protocol. To control greylist behaviour for both TCP and UDP on the same prefix, create two armors — one per protocol — with the same `ip` and `prefix` values. ## UDP armor — example: game server | JSON field | Value | Description | | ---------------------- | ---------------------- | -------------------------------------------------------------------------------------------- | | `ip` | "1.2.3.4" | *The net ID part of the subnet (first IP)* | | `prefix` | 32 | *The CIDR part of the subnet* | | `description` | "Client gameserver" | *An optional description text* | | `tenant-id` | 42 | *The client's tenant ID* | | `enabled` | true | *Enables the armor (i.e. routes traffic through Warden)* | | `prevention-mode` | true | *Allows Warden to actually drop packets* | | `ports` | \["1024-2048", "4096"] | *Destination ports open to greylisted traffic. Whitelisted sources bypass this restriction.* | | `protocol` | "udp" | *The protocol this armor applies to. Each protocol requires a separate armor.* | | `tcp-established` | false | *Allow the protected IP to initiate connections to the Internet* | | `tcp-gl-pps` | 0 | *Per-destination-IP PPS limit for greylisted TCP traffic. No effect in a UDP armor.* | | `udp-gl-pps` | 10000 | *Per-destination-IP PPS limit for greylisted UDP traffic. No effect in a TCP armor.* | | `dpi-profile` | "" | *(UDP only) sets a bytematching profile* | | `reject-src-port-1024` | true | *Rejects packets if the source port is less than 1024* | ## TCP armor — example: web server | JSON field | Value | Description | | ---------------------- | ------------------- | -------------------------------------------------------------------------------------------- | | `ip` | "1.2.3.4" | *The net ID part of the subnet (first IP)* | | `prefix` | 32 | *The CIDR part of the subnet* | | `description` | "Client web server" | *An optional description text* | | `tenant-id` | 42 | *The client's tenant ID* | | `enabled` | true | *Enables the armor (i.e. routes traffic through Warden)* | | `prevention-mode` | true | *Allows Warden to actually drop packets* | | `ports` | \["80", "443"] | *Destination ports open to greylisted traffic. Whitelisted sources bypass this restriction.* | | `protocol` | "tcp" | *The protocol this armor applies to. Each protocol requires a separate armor.* | | `tcp-established` | true | *Allow the protected IP to initiate connections to the Internet* | | `tcp-gl-pps` | 10000 | *Per-destination-IP PPS limit for greylisted TCP traffic. No effect in a UDP armor.* | | `udp-gl-pps` | 0 | *Per-destination-IP PPS limit for greylisted UDP traffic. No effect in a TCP armor.* | | `dpi-profile` | "" | *(UDP only) sets a bytematching profile* | | `reject-src-port-1024` | true | *Rejects packets if the source port is less than 1024* | {% hint style="warning" %} **`ports`, `tcp-gl-pps`, and `udp-gl-pps` are greylist-only controls.** They apply exclusively to traffic from source IPs that are neither whitelisted nor blacklisted. Whitelisted sources bypass port restrictions and PPS limits entirely. `tcp-gl-pps` has no effect in a UDP armor; `udp-gl-pps` has no effect in a TCP armor. **Greylist PPS is enforced per destination IP, not per prefix.** A value of 10,000 on a /24 (256 IPs) allows up to 10,000 PPS per IP from greylisted sources — not 10,000 PPS total across the prefix. **Sizing guidance:** * A starting point of **10,000 PPS per IP** is reasonable for most workloads, but the right value depends on your baseline traffic from non-whitelisted sources. * If you are unsure of your baseline, contact i3D.net support — we can provide weekly traffic plots to help you identify a safe threshold. * Setting `udp-gl-pps: 0` or `tcp-gl-pps: 0` causes all greylisted traffic for that protocol to be dropped — that is, all non-whitelisted, non-blacklisted traffic is dropped. {% endhint %} ## API reference documentation For more information about our API documentation, click the link below. {% embed url="" %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.i3d.net/anti-ddos/warden-capabilities-and-benefits/armor-configuration-templates.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.