FreeBSD Manual Pages
RAPOLICY(1) General Commands Manual RAPOLICY(1) NAME rapolicy - compare a argus(8) data file/stream against a Cisco Access Control List. SYNOPSIS rapolicy -r argus-file [raoptions] [-- filter-expression] DESCRIPTION Rapolicy reads argus data from an argus-file list, and tests the argus data stream against a Cisco access control list configuration file Rapolicy can do many things as defined by its configuration file. The configuration file in not optional and the example below is well com- mented. The ACL file is specified in the configuration file. OPTIONS Rapolicy, like all ra based clients, supports a large number of op- tions. Options that have specific meaning to rapolicy are: -f <rapolicy configuration file> defines the actions of the client. -D 3 Print the output of the state event machine. See ra(1) for a complete description of ra options. EXAMPLE INVOCATION rapolicy -f rapolicy.conf -r argus.file CISCO ACL SYNTAX Rapolicy handles both standard and extended, numbered and named Cisco Access Control Lists EXAMPLE CONFIGURATION This example is provided as an example only. # # Argus Software # Copyright (c) 2000-2016 QoSient, LLC # All rights reserved. # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2, or (at your option) # any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. # # # Example rapolicy.conf # # Rapolicy, like most ra* programs, can read a program specific # configuration file. This is an example configuration for rapolicy() # that provides the opportunity to modify the default behavior of # parsing a Cisco ACL definition, and reporting on flows that match # aspects of the policy defined by the ACL. # # This file is read by rapolicy() from the command line using the # " -f rapolicy.conf " option. # # RA_POLICY_DUMP_POLICY is a debugging aid. If it is set to yes, then rapolicy() will read # and parse the ACL file and output an English language description of the actions associated # with each ACL entry. After outputting the explaination, rapolicy will exit. RA_POLICY_DUMP_POLICY="yes" # The rapolicy client parses a Cisco IOS ACL and constructs a filter which is used # to permit or deny flows. Under normal circumstances the packets meeting the # criteria for a permit rule are output by the client. There are circumstances where # it is useful to see the flows that are dropped. RA_POLICY_SHOW_WHICH can be set # to a value of "deny" in these cases. RA_POLICY_SHOW_WHICH="permit" # Under normal operating conditions, only the flow records that match a permit # or a deny rule (depending on the value of RA_POLICY_SHOW_WHICH) are output. In # some instance like baselining the actions of an ACL, the goal is to have a fully # labeled set of flows regardless of the ACL's permit or deny determination. In these # instances, a value of yes for RA_POLICY_JUST_LABEL will allow the full processing of # the flows and will label them according to the settings of the label flags but all of # the flows handled by the ACL will be output RA_POLICY_JUST_LABEL="no" # A Cisco IP ACL normally has no impact on non-IP traffic eg: ARP, DDCMP, Slotted-Aloha # RA_POLICY_PERMIT_OTHERS can be set to "yes" for the normal behavior or "no" to block # non-IP traffic RA_POLICY_PERMIT_OTHERS="yes" # The rapolicy client can add a label to a flow indicating the action (permit, deny, # or implictDeny), the ACL name or number) and the line within the ACL that caused the # action. # # if RA_POLICY_LABEL_LOG is set to "yes" labels will be added to flows matching ACL # entries that have a log qualifier. RA_POLICY_LABEL_LOG="no" # If RA_POLICY_LABEL_ALL is set to "yes" regardless of the value of RA_POLICY_LABEL_LOG, # any flow that matches an ACL entry will be labeled RA_POLICY_LABEL_ALL="no" # Every Cisos IOS ACL has an implicit deny as its last entry. Flows that do not match any # ACL entry are usually dropped silently. RA_POLICY_LABEL_IMPLICIT will label flows that # are dropped by the implicit deny rule. Under normal circumstances, these flows are not # labeled. The values of RA_POLICY_LABEL_ALL and RA_POLICY_LABEL_LOG do not govern the # labeling of these flows. RA_POLICY_LABEL_IMPLICIT="no" # The ACL is contained in a standard ASCII text file which is identified by the value of # RA_POLICY_ACL_FILE Since rapolicy is not designed to be a syntax checker, it is a # good idea to create the ACL on a Cisco device and take the output of show running # (or the appropriate equivalent command) as the input ACL for rapolicy() # The policy file should be defined as the last item in the rapolicy.conf file # or there may be unexpected side effects RA_POLICY_ACL_FILE="/tmp/ACL03.txt" COPYRIGHT Copyright (c) 2000-2016 QoSient. All rights reserved. AUTHORS Carter Bullard (carter@qosient.com). David Edelman (dwedelman@acm.org) SEE ALSO ra(1), rarc(5), argus(8) rapolicy 3.0.8 09 July 2013 RAPOLICY(1)
NAME | SYNOPSIS | DESCRIPTION | OPTIONS | EXAMPLE INVOCATION | CISCO ACL SYNTAX | EXAMPLE CONFIGURATION | COPYRIGHT | AUTHORS | SEE ALSO
Want to link to this manual page? Use this URL:
<https://man.freebsd.org/cgi/man.cgi?query=rapolicy&sektion=1&manpath=FreeBSD+Ports+14.3.quarterly>