High level requirements:

• Implement blocks in shortest possible amount of time
• Persistent daemon keeps router connection open
• Configuration file defines expect script for specific router models
• Configuration file defines multiple passwords to allow for graceful password changes
• Ability to "batch" block or unblock
• Full capabilities available from command line client
• Client interface available from C library (not implemented)
• Requests include a cookie which is returned with response message

ACL blocker communication details

The command line clients will be implemented as expect scripts. Initially, Bro will use these scripts. Ultimately, Bro will use the C library interface and keep a connection open to the ACL blocker to save time.

Commands include a cookie (32-bit unsigned value). This cookie is included in response messages from the ACL blocker to allow clients to match return status with requests. The value zero (0) may be used if this feature is not needed.

Commands may be streamed without waiting for status.

ACL blocker interface

Each command issued (eventually) results in a response and may be sent out of order. Responses consist of a raw unix timestamp (seconds and microseconds midnight, January 1, 1970), the cookie value and a status word. Responses can return multi-line text containing error messages, informational messages, comments or other text.

Response timestamps document when the requested action was taken. Note that some routers accept and commit an ACL change to configuration memory but must perform additional processing before the change actually takes effect.

Command and response lines that need to submit or return multi-line text end with a trailing dash ("-") character. Text is then read, stripping leading periods ("."), until a period on a line by itself is read.

When the ACL blocker first receives a connection from a client, it sends an initial message to let the client know it's ready for work. For example:

1024631441.934568 0 acld -
ready for action
.

As with response to a regular client command, a timestamp is displayed. Since there is no cookie value to give back, zero is used.

Unknown commands (and other garbage) may not have comments and their cookies are ignored. Responses will always use a cookie value of zero and may include a comment indicating what the problem was. For example:

junk 554
1078353422.923969 0 unknown-failed -
unknown command "junk"
.

ACL blocker client command summary

Command	Arguments
drop restore query	cookie addr cookie addr/netwidth cookie addr netmask
blockhosthost restorehosthost	cookie addr1 addr2
querywhitelist	cookie addr cookie addr/netwidth cookie addr netmask
droptcpport dropudpport restoretcpport restoreudpport	cookie port
droptcpdsthostport dropudpdsthostport permittcpdsthostport permitudpdsthostport restoretcpdsthostport restoreudpdsthostport unpermittcpdsthostport unpermitudpdsthostport	cookie addr port
addwhitelist remwhitelist	cookie addr cookie addr/netwidth cookie addr netmask
nullzero nonullzero	cookie addr cookie addr/netwidth cookie addr netmask
listacl compact	cookie acl
listroute state reload help	cookie

ACL blocker client command details

• addwhitelist cookie addr [-]
• addwhitelist cookie addr/netwidth [-]
• addwhitelist cookie addr netmask [-]
  • cookie is a 32-bit unsigned value
  • addr is the ip address to block
  • netwidth is an optional network width (e.g. 131.243.1.0/24)
  • netmask is an optional network mask (e.g. 255.255.255.0
  • optional multi-line text is logged

  This command is used to add a whitelist address or network.

  The command accepts a comment allowing a client to document why the entry is being added.

  The implementation will refuse to whitelist a network with a netmask width wider than /24.

  The implementation will refuse to accept a netmask that is not contiguous and left justified.

  Possible responses:

  • <timestamp> <cookie> addwhitelist [-]
  • <timestamp> <cookie> addwhitelist-failed [-]

• blockhosthost cookie addr1 addr2 [-]
  • cookie is a 32-bit unsigned value
  • addr1 and addr2 is the ip address pair to block
  • optional multi-line text is logged

  This command is used to block access by address pair.

  The command accepts a comment allowing a client to document why the block is being applied.

  Possible responses:

  • <timestamp> <cookie> blockhosthost [-]
  • <timestamp> <cookie> blockhosthost-failed [-]

  Here's an example blockhosthost command:

  blockhosthost 409 198.137.240.92 128.3.91.113

  The response might be:

  1273687184.824553 409 blockhosthost -
  11598 deny ip from 198.137.240.92 to 128.3.91.113 via em1 in
  .

• compact cookie acl
  • cookie is a 32-bit unsigned value
  • acl is the name of the ACL

  This command requests that the specified acl be compacted.

  Note that compaction is only scheduled and completes at some future time.

  Response:

  • <timestamp> <cookie> compact [-]

• drop cookie addr [-]
• drop cookie addr/netwidth [-]
• drop cookie addr netmask [-]
  • cookie is a 32-bit unsigned value
  • addr is the ip address to block
  • netwidth is an optional network width (e.g. 131.243.1.0/24)
  • netmask is an optional network mask (e.g. 255.255.255.0
  • optional multi-line text is logged

  This command is used to block access by address.

  The command accepts a comment allowing a client to document why the block is being applied.

  The implementation will refuse to block an address width smaller than /16.

  The implementation will refuse to accept a netmask that is not contiguous and left justified.

  It's unlikely daemon clients (e.g. Bro) will use the network netwidth capability.

  Possible responses:

  • <timestamp> <cookie> drop [-]
  • <timestamp> <cookie> drop-failed [-]

  Here's an example drop command:

  drop 123 198.137.240.92

  The response might be:

  1273273238.702409 123 drop

  or:

  1273273238.702409 123 drop -
  sequence too large (65536 > 65535)"
  .

• droptcpdsthostport cookie addr port [-]
• dropudpdsthostport cookie addr port [-]
  • cookie is a 32-bit unsigned value
  • addr is the ip address to block
  • port is the tcp or udp port to block

  This command is used to block access by destination address and port.

  The command accepts a comment allowing a client to document why the block is being applied.

  Possible responses:

  • <timestamp> <cookie> droptcpdsthostport [-]
  • <timestamp> <cookie> droptcpdsthostport-failed [-]

  Here's an example droptcpdsthostport command:

  droptcpdsthostport 1102 128.203.111.2 443 -
  Rod disabling https until this server can be patched
  .

  The response might be:

  1143084820.839264 1102 droptcpdsthostport

• droptcpport cookie port [-]
• dropudpport cookie port [-]
  • cookie is a 32-bit unsigned value
  • port is the tcp or udp port to block

  This command is used to block access by port.

  The command accepts a comment allowing a client to document why the block is being applied.

  Possible responses:

  • <timestamp> <cookie> droptcpportdrop [-]
  • <timestamp> <cookie> dropudpportdrop [-]
  • <timestamp> <cookie> droptcpport-failed [-]
  • <timestamp> <cookie> dropudpport-failed [-]

  Here's an example droptcpport command:

  droptcpport 4042322056 80 -
  Rod disabling http until web servers can be patched
  .

  The response might be:

  1143084820.839264 4042322056 droptcpport

• help cookie
  • cookie is a 32-bit unsigned value

  This command returns a command summary.

  Response:

  • <timestamp> <cookie> help [-]
• listacl cookie acl
  • cookie is a 32-bit unsigned value
  • acl is the name of the ACL

  This command is used to list the contents of the ACL.

  Possible responses:

  • <timestamp> <cookie> listacl acl [-]
  • <timestamp> <cookie> listacl-failed [-]

  Here's an example listacl report:

  1024631592.946718 107775 listacl OUTSIDE -
  1000 56 blockhost 194.117.194.120
  1001 0 blockhost 207.45.69.69
  1004 2 blockhost 202.96.113.20
  1005 89 blocknet 64.154.61.0/24
  1010 58 blockhost 210.233.49.116
  1031 0 blockhost 212.139.3.131
  1042 0 blockhost 212.139.3.132
  1045 0 blockhost 209.61.194.83
  1046 341 blockhost 192.102.234.119
  1051 174 blockhost 128.218.182.205
  1052 829 blockhost 193.251.23.218
  .

  The first number is the sequence number (or 0 if the router does not use sequence numbers). The second number is the count of how many times the ACL has matched a packet (or 0 if the router does not know).

  If it blocked address is a network, its mask is displayed as a width (for example 64.154.61.0/24).

• listroute cookie
  • cookie is a 32-bit unsigned value

  This command is used to list the routes.

  Possible responses:

  • <timestamp> <cookie> listroute acl [-]
  • <timestamp> <cookie> listroute-failed [-]

  Here's an example listroute report:

  1147222080.950994 903041 listroute -
  D 0.0.0.0 172.16.100.1
  D 172.16.111.0/24 172.16.100.2
  D 172.16.112.0/24 172.16.100.2
  D 172.16.113.0/24 172.16.100.2
  I 172.16.114.0/24
  I 172.16.115.0/24
  I 172.16.116.0/24
  S 172.16.116.128/23 172.16.116.90
  N 172.16.116.54
  N 172.16.116.54
  D 172.16.117.0/24 172.16.100.4
  D 172.16.118.0/24 172.16.100.4
  D 172.16.119.0/24 172.16.100.4
  .

  First is a character that describes the route type:

  Static
  Dynamic
  Interface
  Null zero

  Next is the destination address or network. Last is the optional gateway address or network.

• nonullzero cookie addr [-]
• nonullzero cookie addr/netwidth [-]
• nonullzero cookie addr netmask [-]
  • cookie is a 32-bit unsigned value
  • addr is the ip address to remove the null zero route for
  • netwidth is an optional network width (e.g. 131.243.1.0/24)
  • netmask is an optional network mask (e.g. 255.255.255.0
  • optional multi-line text is logged

  This command is used to remove a null zero route for a host.

  The command accepts a comment allowing a client to document why the null zero route is being removed.

  Possible responses:

  • <timestamp> <cookie> nonullzero [-]
  • <timestamp> <cookie> nonullzero-failed [-]

• nullzero cookie addr [-]
• nullzero cookie addr/netwidth [-]
• nullzero cookie addr netmask [-]
  • cookie is a 32-bit unsigned value
  • addr is the ip address to create a null zero route for
  • netwidth is an optional network width (e.g. 131.243.1.0/24)
  • netmask is an optional network mask (e.g. 255.255.255.0
  • optional multi-line text is logged

  This command is used to isolate a host by installing a null zero route for it.

  The command accepts a comment allowing a client to document why the null zero route is being installed.

  Possible responses:

  • <timestamp> <cookie> nullzero [-]
  • <timestamp> <cookie> nullzero-failed [-]

  Here's an example nullzero command:

  nullzero 16711728 212.139.15.101 -
  Infected with a virus
  .

  The response might be:

  1143685680.182807 16711728 nullzero

  or:

  1143685680.182807 16711728 nullzero -
  Note: There is already a null zero route for 212.139.15.101
  .

• permittcpdsthostport cookie addr port [-]
• permitudpdsthostport cookie addr port [-]
  • cookie is a 32-bit unsigned value
  • addr is the ip address
  • port is the tcp port

  This command is used to install an exception for a specific host and tcp port.

  The command accepts a comment allowing a client to document why the acl is being installed.

  Possible responses:

  • <timestamp> <cookie> permittcpdsthostport [-]
  • <timestamp> <cookie> permittcpdsthostport-failed [-]

• query cookie addr
• query cookie addr/netwidth
• query cookie addr netmask
  • cookie is a 32-bit unsigned value
  • addr is the ip address to query
  • netwidth is an optional network width (e.g. 131.243.1/24)
  • netmask is an optional network mask (e.g. 131.243.1 255.255.255.0)

  This command is used to determine if an address is blocked or not.

  Possible responses:

  • <timestamp> <cookie> query [-]
  • <timestamp> <cookie> query-failed [-]

  Here's an example query report:

  1024632280.869878 123401 query -
  acl OUTSIDE
  1002 45 blockhost 64.111.222.33
  .

  The first line documents which ACL the rule is in. The second line is the same as the listacl report would show.

• querywhitelist cookie addr
• querywhitelist cookie addr/netwidth
• querywhitelist cookie addr netmask
  • cookie is a 32-bit unsigned value
  • addr is the ip address to check
  • netwidth is an optional network width (e.g. 131.243.1/24)
  • netmask is an optional network mask (e.g. 131.243.1 255.255.255.0)

  This command is used to determine if an address or network is on the whitelist.

  Possible responses:

  • <timestamp> <cookie> querywhitelist [-]
  • <timestamp> <cookie> querywhitelist-failed [-]

  Here's an example querywhitelist report:

  1208125354.869878 66580 querywhitelist -
  172.16.192.177
  .

  This shows that the requested address is on the whitelist. If the specified address was whitelisted by a network rule, the network and mask would have been displayed.

• reload cookie
  • cookie is a 32-bit unsigned value

  This command requests that the daemon kill expect child process, reload the daemon configuration file and restart the child process.

  Note that as a side effect, all client connections are terminated.

  Response:

  • <timestamp> <cookie> reload [-]

• remwhitelist cookie addr [-]
• remwhitelist cookie addr/netwidth [-]
• remwhitelist cookie addr netmask [-]
  • cookie is a 32-bit unsigned value
  • addr is the ip address to block
  • netwidth is an optional network width (e.g. 131.243.1.0/24)
  • netmask is an optional network mask (e.g. 255.255.255.0
  • optional multi-line text is logged

  This command is used to remove a whitelist address or network.

  The command accepts a comment allowing a client to document why the entry is being removed.

  Possible responses:

  • <timestamp> <cookie> remwhitelist [-]
  • <timestamp> <cookie> remwhitelist-failed [-]

• restore cookie addr [-]
• restore cookie addr/netwidth [-]
• restore cookie addr netmask [-]
  • cookie is a 32-bit unsigned value
  • addr is the ip address to unblock
  • netwidth is an optional network width (e.g. 131.243.1.0/24)
  • netmask is an optional network mask (e.g. 131.243.1 255.255.255.0)
  • optional multi-line text is logged

  This command is used to unblock access by address.

  The command accepts a comment allowing a client to document why the block is being lifted.

  Possible responses:

  • <timestamp> <cookie> restore [-]
  • <timestamp> <cookie> restore-failed [-]

• restorehosthost cookie addr1 addr2 [-]
  • cookie is a 32-bit unsigned value
  • addr1 and addr2 is the ip address pair to unblock
  • optional multi-line text is logged

  This command is used to remove a address pair block.

  The command accepts a comment allowing a client to document why the block is being lifted.

  Possible responses:

  • <timestamp> <cookie> restorehosthost [-]
  • <timestamp> <cookie> restorehosthost-failed [-]

• restoretcpdsthostport cookie addr port [-]
• restoreudpdsthostport cookie addr port [-]
  • cookie is a 32-bit unsigned value
  • addr is the ip address
  • port is the tcp port
  • optional multi-line text is logged

  This command is used to unblock access by port.

  The command accepts a comment allowing a client to document why the block is being lifted.

  Possible responses:

  • <timestamp> <cookie> restoretcpdsthostport [-]
  • <timestamp> <cookie> restoretcpdsthostport-failed [-]

• restoretcpport cookie port [-]
• restoreudpport cookie port [-]
  • cookie is a 32-bit unsigned value
  • port is the tcp or udp port to unblock
  • optional multi-line text is logged

  This command is used to unblock access by port.

  The command accepts a comment allowing a client to document why the block is being lifted.

  Possible responses:

  • <timestamp> <cookie> restoretcpport [-]
  • <timestamp> <cookie> restoreudpport [-]
  • <timestamp> <cookie> restoretcpport-failed [-]
  • <timestamp> <cookie> restoreudpport-failed [-]

• state cookie
  • cookie is a 32-bit unsigned value

  This command requests the ACL blocker to report on its current state.

  Possible responses:

  • <timestamp> <cookie> state [-]
  • <timestamp> <cookie> state-failed [-]

  Here's an example state report:

  1024631592.946718 107774 state -
  # state loggedin
  # version 0.2
  # config "/usr/local/etc/acld.conf"
  router "10.0.0.2"
  expect "/usr/local/bin/expect"
  script "cisco8500.expect"
  whitelist "whitelist.txt"
  port 1776
  netsfac local1
  sync_secs 86400
  incrseq 1
  seqrange 5000 65000
  maxseq 7600
  # lastseq for ACL LOCAL is 5495
  # lastseq for ACL OUTSIDE is 46490
  # acllen for ACL LOCAL is 56
  # acllen for ACL OUTSIDE is 1973
  # whitelistlen 369
  acl LOCAL 128.3.0.0/16
  acl OUTSIDE default
  interface gigabitethernet 0/0 OUTSIDE
  interface gigabitethernet 0/2 LOCAL
  nullzeronet 128.3.0.0/16
  nullzeronet 192.16.0.0/16
  nullzeromax 8000
  # nullzerolen is 15
  .

  The ACL blocker is using the expect script "cisco8500.expect" and ip address 10.0.0.2 to communicate with the router.

• unpermittcpdsthostport cookie addr port [-]
• unpermitudpdsthostport cookie addr port [-]
  • cookie is a 32-bit unsigned value
  • addr is the ip address
  • port is the tcp port
  • optional multi-line text is logged

  This command is used to remove an exception for a specific host and tcp port.

  The command accepts a comment allowing a client to document why the acl is being removed. why the block is being lifted.

  Possible responses:

  • <timestamp> <cookie> unpermittcpdsthostport [-]
  • <timestamp> <cookie> unpermittcpdsthostport-failed [-]

Expect script summary

Command	Arguments
drop restore	addr acl seq addr/netwidth acl seq
blockhosthost restorehosthost	addr1 addr2
droptcpport dropudpport restoretcpport restoreudpport	port acl seq
droptcpdsthostport dropudpdsthostport permittcpdsthostport permitudpdsthostport restoretcpdsthostport restoreudpdsthostport unpermittcpdsthostport unpermitudpdsthostport	addr port acl seq
nonullzero nullzero	addr addr/netwidth
login	addr cuser cpass1 cpass2 euser epass1 epass2
listacl	acl interface
ayt listroute logout sync

Expect script details

The following expect procedures must be defined before the ACL blocker can support a router:

• ayt {}

  This procedure is used check if the router still responds to commands.

  Possible return statuses:

  • ayt [-]
  • ayt-failed [-]

• drop { addr acl seq }
• drop { addr/netwidth acl seq }
  • addr is the ip address to block
  • netwidth is an optional network width (e.g. 131.243.1.0/24)
  • acl is the name of the ACL
  • seq is the sequence number in the access list

  This procedure is used to add a block for an ip address on an ACL.

  This is implemented by these steps:

  • If necessary, enter ACL configure mode
  • Add the rule to the ACL

  Possible return statuses:

  • drop [-]
  • drop-failed [-]

• blockhosthost { addr1 addr2 acl seq }
  • addr1 and addr2 is the ip address pair to block
  • acl is the name of the ACL
  • seq is the sequence number in the access list

  This procedure is used to add a block on an ACL for an ip address pair.

  This is implemented by these steps:

  • If necessary, enter ACL configure mode
  • Add the rule to the ACL

  Possible return statuses:

  • blockhosthost [-]
  • blockhosthost-failed [-]

• droptcpdsthostport { addr port acl seq }
• dropudpdsthostport { addr port acl seq }
  • addr is the ip address
  • port is the tcp port
  • acl is the name of the ACL
  • seq is the sequence number in the access list

  This procedure is used to block a destination host port pair.

  This is implemented by these steps:

  • If necessary, enter ACL configure mode
  • Add the rule to the ACL

  Possible return statuses:

  • droptcpdsthostport [-]
  • droptcpdsthostport-failed [-]

• droptcpport { port acl seq }
• dropudpport { port acl seq }
  • port is the port to block
  • acl is the name of the ACL
  • seq is the sequence number in the access list

  This procedure is used to add a block for a tcp or udp port on an ACL.

  This is implemented by these steps:

  • If necessary, enter ACL configure mode
  • Add port to the ACL

  Possible return statuses:

  • droptcpport [-]
  • dropudpport [-]
  • droptcpport-failed [-]
  • dropudpport-failed [-]

• listacl { acl interface }
  • acl is the name of the ACL
  • interface is the name of the interface

  This procedure is used to list the contents of the ACL.

  Possible return statuses:

  • listacl [-]
  • listacl-failed [-]

  Here's an example listacl report:

  listacl -
  10 12 blockhost 194.117.194.120
  15 0 blockhost 207.45.69.69
  20 2 blockhost 202.96.113.20
  25 0 blocknet 64.154.61.0/24
  30 58 blockhost 210.233.49.116
  35 0 blockhost 212.139.3.131
  40 0 blockhost 212.139.3.132
  45 0 blockhost 209.61.194.83
  50 341 blockhost 192.102.234.119
  55 174 blockhost 128.218.182.205
  60 829 blockhost 193.251.23.218
  65535 0 permitany
  .

  The first number is the sequence number (or 0 if the router does not use sequence numbers). The second number is the count of how many times the ACL has matched a packet.

• listroute { }

  This procedure is used to list routes.

  Possible return statuses:

  • listroute [-]
  • listroute-failed [-]

  Here's an example listroute report:

  listroute -
  D 0.0.0.0 172.16.100.1
  D 172.16.111.0/24 172.16.100.2
  D 172.16.112.0/24 172.16.100.2
  D 172.16.113.0/24 172.16.100.2
  I 172.16.114.0/24
  I 172.16.115.0/24
  I 172.16.116.0/24
  S 172.16.116.128/23 172.16.116.90
  N 172.16.116.54
  N 172.16.116.54
  D 172.16.117.0/24 172.16.100.4
  D 172.16.118.0/24 172.16.100.4
  D 172.16.119.0/24 172.16.100.4
  .

  See the listroute command for a description of the output format.

• login { addr cuser cpass1 cpass2 euser epass1 epass2 }
  • addr is the ip address of the router
  • cuser is the connect username
  • cpass1 is the primary connect password
  • cpass2 is the backup connect password
  • euser is the enable username
  • epass1 is the primary enable password
  • epass2 is the backup enable password

  This procedure is used to login to the router. If the ACL blocker is not currently logged in, it will attempt to login. If it is already is logged in, it will logout and then login again.

  The login procedure uses two connect and two enable passwords. If the primary password fails, the backup password is tried. This allows router passwords to be changed without a window of vulnerability.

  Note that using more than two passwords can make the expect scripts more complicated (e.g. Ciscos terminate the telnet connection after three connect password failures).

  Possible return statuses:

  • login [-]
  • login-failed [-]

• logout {}

  This procedure is used to logout of the router.

  The child process is killed and cleaned up after.

  Possible return statuses:

  • logout [-]
  • logout-failed [-]

• nonullzero { addr }
• nonullzero { addr/netwidth }
  • addr is the ip address to remove the null zero route for
  • netwidth is an optional network width (e.g. 131.243.1.0/24)

  This procedure is used to remove a null zero route for a host.

  This is implemented by these steps:

  • If necessary, enter configure mode
  • Remove the static null zero route

  Possible return statuses:

  • nonullzero [-]
  • nonullzero-failed [-]

• nullzero { addr }
• nullzero { addr/netwidth }
  • addr is the ip address to create a null zero route for
  • netwidth is an optional network width (e.g. 131.243.1.0/24)

  This procedure is used to isolate a host by installing a null zero route for it.

  This is implemented by these steps:

  • If necessary, enter configure mode
  • Add a static null zero route

  Possible return statuses:

  • nullzero [-]
  • nullzero-failed [-]

• permittcpdsthostport { addr port acl seq }
• permitudpdsthostport { addr port acl seq }
  • addr is the ip address
  • port is the tcp port
  • acl is the name of the ACL
  • seq is the sequence number in the access list

  This procedure is used to install an exception for a specific host and tcp port in an ACL.

  This is implemented by these steps:

  • If necessary, enter ACL configure mode
  • Add the rule to the ACL

  Possible return statuses:

  • permittcpdsthostport [-]
  • permittcpdsthostport-failed [-]

• restore { addr acl seq }
• restore { addr/netwidth acl seq }
  • addr is the ip address to unblock
  • acl is the name of the ACL
  • netwidth is an optional network width (e.g. 131.243.1.0/24)
  • seq is the sequence number in the access list

  This procedure is used to remove a block for an ip address on an ACL.

  This is implemented by these steps:

  • If necessary, enter ACL configure mode
  • Remove the rule from the ACL

  Possible return statuses:

  • restore [-]
  • restore-failed [-]

• restorehosthost { addr1 addr2 acl seq }
  • addr1 and addr2 is the ip address pair to unblock
  • acl is the name of the ACL
  • seq is the sequence number in the access list

  This procedure is used to remove a block on an ACL for an ip address pair.

  This is implemented by these steps:

  • If necessary, enter ACL configure mode
  • Remove the rule from the ACL

  Possible return statuses:

  • restorehosthost [-]
  • restorehosthost-failed [-]

• restoretcpdsthostport { addr port acl seq }
• restoreudpdsthostport { addr port acl seq }
  • addr is the ip address
  • port is the tcp port
  • acl is the name of the ACL
  • seq is the sequence number in the access list

  This procedure is used to remove a destination host port pair block.

  This is implemented by these steps:

  • If necessary, enter ACL configure mode
  • Remove address and port form the ACL

  Possible return statuses:

  • restoretcpdsthostport [-]
  • restoretcpdsthostport-failed [-]

• restoretcpport { port acl seq }
• restoreudpport { port acl seq }
  • port is the port to unblock
  • acl is the name of the ACL
  • seq is the sequence number in the access list

  This procedure is used to remove a block for a tcp or udp port in an ACL.

  This is implemented by these steps:

  • If necessary, enter ACL configure mode
  • Remove the rule from the ACL

  Possible return statuses:

  • restoretcpport [-]
  • restoreudpport [-]
  • restoretcpport-failed [-]
  • restoreudpport-failed [-]

• sync {}

  This procedure does whatever is necessary to save recent changes made to the router.

  This is implemented by these steps:

  • Router configuration changes are committed to nonvolatile memory
    For example, "write memory" on a Cisco or "copy running-config startup-config on a Force 10

  Possible return statuses:

  • sync [-]
  • sync-failed [-]

• unpermittcpdsthostport { addr port acl seq }
• unpermitudpdsthostport { addr port acl seq }
  • addr is the ip address
  • port is the tcp port
  • acl is the name of the ACL
  • seq is the sequence number in the access list

  This procedure is used to remove an exception for a specific host and tcp port in an ACL.

  This is implemented by these steps:

  • If necessary, enter ACL configure mode
  • Remove address and port from the ACL

  Possible return statuses:

  • unpermittcpdsthostport [-]
  • unpermittcpdsthostport-failed [-]

Implementation details

• Reads the configuration file(s) which tell it:
  • The router ip address
  • The router username(s) and passwords (up to two connect and two enable)
  • The router expect script
  • The local port to listen for clients
  • ACL configuration (ACL names, network/netmask list and interface/acl assignments)
  • The number of seconds between sync commands
  • The minimum and maximum sequence numbers to use

• Connects to the router, logs in and gains privileges
• Fetches the contents of each configured ACL
• Fetches the route list
• Loops waiting for client requests
• Periodically check to make sure the router is still responsive to commands
• Periodically tell the router to save its configuration to nonvolatile memory