1RAPOLICY(1)                 General Commands Manual                RAPOLICY(1)
2
3
4

NAME

6       rapolicy  -  compare a argus(8) data file/stream against a Cisco Access
7       Control List.
8

10       Copyright (c) 2000-2003 QoSient. All rights reserved.
11

SYNOPSIS

13       rapolicy -r argus-file [ra options]
14

DESCRIPTION

16       Rapolicy reads argus data from an argus-file list, and tests the  argus
17       data  stream   against  a Cisco access control list configuration file,
18       printing out records that represent activity  that  would  violate  the
19       policy.  Rapolicy can be used to indicate access control violations, as
20       well as test new access control definitions prior to installing them in
21       a router.
22

OPTIONS

24       Rapolicy,  like  all  ra  based  clients,  supports  a  large number of
25       options.  Options that have specific meaning to rapolicy are:
26
27          -f <Cisco ACL file> Print records that violate the policy.
28          -D 0 (default)      Print records that violate the policy.
29          -D 1                Print records and the violated ruleset.
30          -D 2                Print all records and the ruleset that matched.
31
32       See ra(1) for a complete description of ra options.
33

EXAMPLE INVOCATION

35       rapolicy -r argus.file
36

CISCO ACL SYNTAX

38       There does not seem to be  authoritative  Cisco-ACL-Documentation,  nor
39       ACL syntax standardization.  Because Cisco has been know to improve its
40       ACL rules syntax, rapolicy is known  to  work  with  Cisco  ACL  router
41       defintions up to July, 2002.
42
43       A  Cisco  ACL configuration file consists of a collection of any number
44       of ACL statements, each on a separte line.  The syntax of an ACL stateā€
45       ment is:
46
47          ACL        = "access-list" ID ACTION PROTOCOL SRC DST NOTIFICATION
48
49          ID         = Number
50          ACTION     = permit | deny
51          PROTO      = protocol name | protocol number
52
53          SRC | DST  = ADDRESS [PORTMATCH]
54
55          ADDRESS    = any | host HOSTADDR | HOSTADDR HOSTMASK
56          HOSTADDR   = ipV4 address
57          HOSTMASK   = matching-mask
58
59          PORTMATCH  = PORTOP PORTNUM | range PORTRANGE
60          PORTOP     = eq | lt | gt | neq | established
61
62          PORTRANGE  =  PORTNUM PORTNUM
63          PORTNUM    =  TCP or UDP port value (unsigned decimal from 0 to 65535)
64
65
66

EXAMPLE CONFIGURATION

68       This  example Cisco Access Control List configuration is provided as an
69       example only.  No effort has been made  to  verify  that  this  example
70       Access  Control  List  enforces  a  useful access control policy of any
71       kind.
72
73       #allow www-traffic to webserver
74       access-list 102 permit tcp any 193.174.13.99 0.0.0.0 eq 80
75
76       #allow ftp control connection to server
77       access-list 102 permit tcp any 193.174.13.99 0.0.0.0 eq 21
78
79       #allow normal ftp
80       access-list 102 permit tcp any 193.174.13.99 0.0.0.0 eq 20
81
82       #allow ftp passive conncetions in portrange 10000 to 10500
83       access-list 102 permit tcp any host 193.174.13.99 range 10000 10500
84
85       #dummy example
86       access-list 102 permit tcp host 193.174.13.1 eq 12345 host 193.174.13.2 range 12345 23456
87
88       #deny the rest
89       access-list 102 deny tcp any any
90
91       #same thing in other words:
92       access-list 102 deny tcp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
93
94

AUTHORS

96       Carter Bullard (carter@qosient.com).
97       Olaf Gellert (gellert@pca.dfn.de).
98

SEE ALSO

100       ra(1), rarc(5), argus(8)
101
102
103
104                                 22 July 2002                      RAPOLICY(1)
Impressum