Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.pangolin.net/llms.txt

Use this file to discover all available pages before exploring further.

Try free on Pangolin Cloud

Fastest way to get started with Pangolin using the hosted control plane. No credit card required.
For each private resource, TCP and UDP are configured separately. Each protocol uses one of three modes: All, Blocked, or Custom. ICMP (ping) is controlled on its own and does not follow those TCP/UDP modes.

Port restrictions

Port settings apply to users, roles, and machines that have access to the resource. They limit which application traffic can reach the resource’s destination through Pangolin.

All

All means no port filtering for that protocol: every port on the destination is reachable through the tunnel. This is the default-style behavior when you are not narrowing traffic to a subset of ports. Use All when the service needs arbitrary ports (for example ephemeral ports on the client side are handled by the stack, but the server listens on many ports) or when you have not yet tightened access.

Blocked

Blocked means that protocol is not allowed to the destination through Pangolin: no TCP or no UDP traffic passes, depending on which row you set. The other protocol can still be All or Custom independently—for example TCP Custom (only 443) with UDP Blocked for a HTTPS-only workload that should not receive UDP to that destination. Use Blocked when you want to turn off a protocol entirely for that resource.

Custom

Custom means only the ports you list are allowed; every other port for that protocol is denied. Enter either:
  • a single port (e.g. 80),
  • a comma-separated list (e.g. 80,443,8080), or
  • a range with a hyphen (e.g. 8000-8100).
  • lists and ranges (e.g. 80,443,8080-8090,9000-9010)
Use Custom for least-privilege access: allow only the ports your application actually needs (see also SSH for allowing TCP 22 when using Pangolin SSH).

ICMP

By default, ICMP (ping) to the resource’s destination is enabled. To turn it off, disable the ICMP option when configuring access to the resource. That stops ICMP echo requests (ping) to the destination for principals that have access.
ICMP ping does not work when using a resource alias as the target—ping applies to the resource’s configured destination (FQDN, IP, or CIDR), not to alias hostnames.