Content-type: text/html <HTML><HEAD><TITLE>Manpage of RAPOLICY</TITLE> </HEAD><BODY> <H1>RAPOLICY</H1> Section: User Commands (1)<BR>Updated: 22 July 2002<BR><A HREF="#index">Index</A> <A HREF="http://localhost/cgi-bin/man/man2html">Return to Main Contents</A><HR> <A NAME="lbAB"> </A> <H2>NAME</H2> <B>rapolicy</B> - compare a <B><A HREF="http://localhost/cgi-bin/man/man2html?8+argus">argus</A>(8)</B> data file/stream against a Cisco Access Control List. <A NAME="lbAC"> </A> <H2>COPYRIGHT</H2> Copyright (c) 2000-2003 QoSient. All rights reserved. <A NAME="lbAD"> </A> <H2>SYNOPSIS</H2> <B>rapolicy</B> <B>-r</B> <I>argus-file </I> <I>[ra options]</I> <A NAME="lbAE"> </A> <H2>DESCRIPTION</H2> <A NAME="ixAAB"></A> <P> <B>Rapolicy</B> reads <B>argus</B> data from an <I>argus-file</I> list, and tests the argus data stream against a Cisco access control list configuration file, printing out records that represent activity that would violate the policy. <B>Rapolicy</B> can be used to indicate access control violations, as well as test new access control definitions prior to installing them in a router. <A NAME="lbAF"> </A> <H2>OPTIONS</H2> <B>Rapolicy</B>, like all <B>ra</B> based clients, supports a large number of options. Options that have specific meaning to <B>rapolicy</B> are: <P> <PRE> -f <Cisco ACL file> Print records that violate the policy. -D 0 (default) Print records that violate the policy. -D 1 Print records and the violated ruleset. -D 2 Print all records and the ruleset that matched. See <B><A HREF="http://localhost/cgi-bin/man/man2html?1+ra">ra</A>(1)</B> for a complete description of <B>ra options</B>. </PRE><A NAME="lbAG"> </A> <H2>EXAMPLE INVOCATION</H2> <B>rapolicy</B> -r argus.file <PRE> </PRE><A NAME="lbAH"> </A> <H2>CISCO ACL SYNTAX</H2> There does not seem to be authoritative Cisco-ACL-Documentation, nor ACL syntax standardization. Because Cisco has been know to improve its ACL rules syntax, <B>rapolicy</B> is known to work with Cisco ACL router defintions up to July, 2002. <P> A Cisco ACL configuration file consists of a collection of any number of ACL statements, each on a separte line. The syntax of an ACL statement is: <P> <PRE> ACL = "access-list" ID ACTION PROTOCOL SRC DST NOTIFICATION ID = Number ACTION = permit | deny PROTO = protocol name | protocol number SRC | DST = ADDRESS [PORTMATCH] ADDRESS = any | host HOSTADDR | HOSTADDR HOSTMASK HOSTADDR = ipV4 address HOSTMASK = matching-mask PORTMATCH = PORTOP PORTNUM | range PORTRANGE PORTOP = eq | lt | gt | neq | established PORTRANGE = PORTNUM PORTNUM PORTNUM = TCP or UDP port value (unsigned decimal from 0 to 65535) </PRE><A NAME="lbAI"> </A> <H2>EXAMPLE CONFIGURATION</H2> This example Cisco Access Control List configuration is provided as an example only. No effort has been made to verify that this example Access Control List enforces a useful access control policy of any kind. <P> <PRE> #allow www-traffic to webserver access-list 102 permit tcp any 193.174.13.99 0.0.0.0 eq 80 #allow ftp control connection to server access-list 102 permit tcp any 193.174.13.99 0.0.0.0 eq 21 #allow normal ftp access-list 102 permit tcp any 193.174.13.99 0.0.0.0 eq 20 #allow ftp passive conncetions in portrange 10000 to 10500 access-list 102 permit tcp any host 193.174.13.99 range 10000 10500 #dummy example access-list 102 permit tcp host 193.174.13.1 eq 12345 host 193.174.13.2 range 12345 23456 #deny the rest access-list 102 deny tcp any any #same thing in other words: access-list 102 deny tcp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 </PRE> <P> <A NAME="lbAJ"> </A> <H2>AUTHORS</H2> <PRE> Carter Bullard (<A HREF="mailto:carter@qosient.com">carter@qosient.com</A>). Olaf Gellert (<A HREF="mailto:gellert@pca.dfn.de">gellert@pca.dfn.de</A>). </PRE> <A NAME="lbAK"> </A> <H2>SEE ALSO</H2> <B><A HREF="http://localhost/cgi-bin/man/man2html?1+ra">ra</A></B>(1), <B><A HREF="http://localhost/cgi-bin/man/man2html?5+rarc">rarc</A></B>(5), <B><A HREF="http://localhost/cgi-bin/man/man2html?8+argus">argus</A></B>(8) <P> <HR> <A NAME="index"> </A><H2>Index</H2> <DL> <DT><A HREF="#lbAB">NAME</A><DD> <DT><A HREF="#lbAC">COPYRIGHT</A><DD> <DT><A HREF="#lbAD">SYNOPSIS</A><DD> <DT><A HREF="#lbAE">DESCRIPTION</A><DD> <DT><A HREF="#lbAF">OPTIONS</A><DD> <DT><A HREF="#lbAG">EXAMPLE INVOCATION</A><DD> <DT><A HREF="#lbAH">CISCO ACL SYNTAX</A><DD> <DT><A HREF="#lbAI">EXAMPLE CONFIGURATION</A><DD> <DT><A HREF="#lbAJ">AUTHORS</A><DD> <DT><A HREF="#lbAK">SEE ALSO</A><DD> </DL> <HR> This document was created by <A HREF="http://localhost/cgi-bin/man/man2html">man2html</A>, using the manual pages.<BR> Time: 13:20:15 GMT, May 16, 2007 </BODY> </HTML>