Second generation ACL blocker notes

18-Sep-2018

Here are some notes on the second generation ACL blocker.

High level requirements:

Implement blocks in shortest possible amount of time
Persistent daemon keeps router connection open
Configuration file defines expect script for specific router models
Configuration file defines multiple passwords to allow for graceful password changes
Ability to "batch" block or unblock
Requests include a cookie which is returned with response message
Full capabilities available from command line client
Client interface available from Python module

ACL blocker communication details

Clients will talk to the ACL blocker via an inet socket on a port on localhost. It is possible to use telnet to interact with the daemon.

The command line clients will be implemented as expect scripts. Initially, Bro will use these scripts. Ultimately, Bro will use the C library interface and keep a connection open to the ACL blocker to save time.

Commands include a cookie (32-bit unsigned value). This cookie is included in response messages from the ACL blocker to allow clients to match return status with requests. The value zero (0) may be used if this feature is not needed.

Commands may be streamed without waiting for status.

ACL blocker interface

Communications with the ACL blocker occurs over a socket. Commands consist of a keyword, a cookie (32-bit unsigned value) and optional arguments. In addition, many commands (e.g. drop) optionally use multi-line text (see below).

Each command issued (eventually) results in a response and may be sent out of order. Responses consist of a raw unix timestamp (seconds and microseconds midnight, January 1, 1970), the cookie value and a status word. Responses can return multi-line text containing error messages, informational messages, comments or other text.

Response timestamps document when the requested action was taken. Note that some routers accept and commit an ACL change to configuration memory but must perform additional processing before the change actually takes effect.

Command and response lines that need to submit or return multi-line text end with a trailing dash ("-") character. Text is then read, stripping leading periods ("."), until a period on a line by itself is read.

When the ACL blocker first receives a connection from a client, it sends an initial message to let the client know it's ready for work. For example:

1024631441.934568 0 acld - ready for action .

As with response to a regular client command, a timestamp is displayed. Since there is no cookie value to give back, zero is used.

Unknown commands (and other garbage) may not have comments and their cookies are ignored. Responses will always use a cookie value of zero and may include a comment indicating what the problem was. For example:

junk 554 1078353422.923969 0 unknown-failed - unknown command "junk" .

ACL blocker client command summary

Command Arguments

drop
restore
query
cookie addr
cookie addr/netwidth
cookie addr netmask

blockhosthost
restorehosthost
cookie addr1 addr2

querywhitelist cookie addr
cookie addr/netwidth
cookie addr netmask

droptcpport
dropudpport
restoretcpport
restoreudpport
cookie port

droptcpdsthostport
dropudpdsthostport
permittcpdsthostport
permitudpdsthostport
restoretcpdsthostport
restoreudpdsthostport
unpermittcpdsthostport
unpermitudpdsthostport
cookie addr port

addwhitelist
remwhitelist
cookie addr
cookie addr/netwidth
cookie addr netmask

nullzero
nonullzero
querynullzero
cookie addr
cookie addr/netwidth
cookie addr netmask

filter
nofilter
queryfilter
cookie addr

compact
listacl
cookie acl

prefix
noprefix
cookie addr name

listprefix
cookie name

help
listroute
reload
state
cookie

Command	Arguments
drop restore query	cookie addr cookie addr/netwidth cookie addr netmask
blockhosthost restorehosthost	cookie addr1 addr2
querywhitelist	cookie addr cookie addr/netwidth cookie addr netmask
droptcpport dropudpport restoretcpport restoreudpport	cookie port
droptcpdsthostport dropudpdsthostport permittcpdsthostport permitudpdsthostport restoretcpdsthostport restoreudpdsthostport unpermittcpdsthostport unpermitudpdsthostport	cookie addr port
addwhitelist remwhitelist	cookie addr cookie addr/netwidth cookie addr netmask
nullzero nonullzero querynullzero	cookie addr cookie addr/netwidth cookie addr netmask
filter nofilter queryfilter	cookie addr
compact listacl	cookie acl
prefix noprefix	cookie addr name
listprefix	cookie name
help listroute reload state	cookie

ACL blocker client command details

addwhitelist cookie addr [-]
addwhitelist cookie addr/netwidth [-]
addwhitelist cookie addr netmask [-]
- cookie is a 32-bit unsigned value
- addr is the ip address to block
- netwidth is an optional network width (e.g. 131.243.1.0/24)
- netmask is an optional network mask (e.g. 255.255.255.0
- optional multi-line text is logged
This command is used to add a whitelist address or network.
The command accepts a comment allowing a client to document why the entry is being added.
The implementation will refuse to whitelist a network with a netmask width wider than /24.
The implementation will refuse to accept a netmask that is not contiguous and left justified.
Possible responses:
- <timestamp> <cookie> addwhitelist [-]
- <timestamp> <cookie> addwhitelist-failed [-]
blockhosthost cookie addr1 addr2 [-]
- cookie is a 32-bit unsigned value
- addr1 and addr2 is the ip address pair to block
- optional multi-line text is logged
This command is used to block access by address pair.
The command accepts a comment allowing a client to document why the block is being applied.
Possible responses:
- <timestamp> <cookie> blockhosthost [-]
- <timestamp> <cookie> blockhosthost-failed [-]
Here's an example blockhosthost command:
blockhosthost 409 198.137.240.92 128.3.91.113

The response might be:
1273687184.824553 409 blockhosthost - 11598 deny ip from 198.137.240.92 to 128.3.91.113 via em1 in .
compact cookie acl
- cookie is a 32-bit unsigned value
- acl is the name of the ACL
This command requests that the specified acl be compacted.
Note that compaction is only scheduled and completes at some future time.
Response:
- <timestamp> <cookie> compact [-]
drop cookie addr [-]
drop cookie addr/netwidth [-]
drop cookie addr netmask [-]
- cookie is a 32-bit unsigned value
- addr is the ip address to block
- netwidth is an optional network width (e.g. 131.243.1.0/24)
- netmask is an optional network mask (e.g. 255.255.255.0
- optional multi-line text is logged
This command is used to block access by address.
The command accepts a comment allowing a client to document why the block is being applied.
The implementation will refuse to block an address width smaller than /16.
The implementation will refuse to accept a netmask that is not contiguous and left justified.
It's unlikely daemon clients (e.g. Bro) will use the network netwidth capability.
Possible responses:
- <timestamp> <cookie> drop [-]
- <timestamp> <cookie> drop-failed [-]
Here's an example drop command:
drop 123 198.137.240.92

The response might be:
1273273238.702409 123 drop

or:
1273273238.702409 123 drop - sequence too large (65536 > 65535)" .
droptcpdsthostport cookie addr port [-]
dropudpdsthostport cookie addr port [-]
- cookie is a 32-bit unsigned value
- addr is the ip address to block
- port is the tcp or udp port to block
This command is used to block access by destination address and port.
The command accepts a comment allowing a client to document why the block is being applied.
Possible responses:
- <timestamp> <cookie> droptcpdsthostport [-]
- <timestamp> <cookie> droptcpdsthostport-failed [-]
Here's an example droptcpdsthostport command:
droptcpdsthostport 1102 128.203.111.2 443 - Rod disabling https until this server can be patched .

The response might be:
1143084820.839264 1102 droptcpdsthostport
droptcpport cookie port [-]
dropudpport cookie port [-]
- cookie is a 32-bit unsigned value
- port is the tcp or udp port to block
This command is used to block access by port.
The command accepts a comment allowing a client to document why the block is being applied.
Possible responses:
- <timestamp> <cookie> droptcpportdrop [-]
- <timestamp> <cookie> dropudpportdrop [-]
- <timestamp> <cookie> droptcpport-failed [-]
- <timestamp> <cookie> dropudpport-failed [-]
Here's an example droptcpport command:
droptcpport 4042322056 80 - Rod disabling http until web servers can be patched .

The response might be:
1143084820.839264 4042322056 droptcpport
help cookie
- cookie is a 32-bit unsigned value
This command returns a command summary.
Response:
- <timestamp> <cookie> help [-]
listacl cookie acl
- cookie is a 32-bit unsigned value
- acl is the name of the ACL
This command is used to list the contents of the ACL.
Possible responses:
- <timestamp> <cookie> listacl [-]
- <timestamp> <cookie> listacl-failed [-]
Here's an example listacl report:
1024631592.946718 107775 listacl - 1000 56 blockhost 194.117.194.120 1001 0 blockhost 207.45.69.69 1004 2 blockhost 202.96.113.20 1005 89 blocknet 64.154.61.0/24 1010 58 blockhost 210.233.49.116 1031 0 blockhost 212.139.3.131 1042 0 blockhost 212.139.3.132 1045 0 blockhost 209.61.194.83 1046 341 blockhost 192.102.234.119 1051 174 blockhost 128.218.182.205 1052 829 blockhost 193.251.23.218 .

The first number is the sequence number (or 0 if the router does not use sequence numbers). The second number is the count of how many times the ACL has matched a packet (or 0 if the router does not know).
If it blocked address is a network, its mask is displayed as a width (for example 64.154.61.0/24).
prefix cookie addr name [-]
- cookie is a 32-bit unsigned value
- addr is the ip address to add
- name is the name of the prefix list
This command is used to add an address to the prefix list.
Possible responses:
- <timestamp> <cookie> prefix [-]
- <timestamp> <cookie> prefix-failed [-]
Here's an example prefix command:
prefix 1612 212.139.7.141 WAF - New webserver .

The response might be:
1542590308.111427 1612 prefix

or:
1542590308.111427 1612 prefix - 212.139.7.141 is already a member of WAF .
noprefix cookie addr name [-]
- cookie is a 32-bit unsigned value
- addr is the ip address to remove
- name is the name of the prefix list
This command is used to remove an address from the prefix list.
Possible responses:
- <timestamp> <cookie> noprefix [-]
- <timestamp> <cookie> noprefix-failed [-]
Here's an example noprefix command:
noprefix 1612 212.139.7.141 WAF - Retire webserver .

The response might be:
1542590308.111427 1612 noprefix

or:
1542590308.111427 1612 noprefix - 212.139.7.141 is not a member of WAF .
listprefix cookie name
- cookie is a 32-bit unsigned value
- name is the name of the prefix list
This command is used to list the contents of a prefix list.
Possible responses:
- <timestamp> <cookie> listaprefix [-]
- <timestamp> <cookie> listaprefix-failed [-]
Here's an example listprefix report:
1024631592.946718 107775 listprefix - 1031 0 blockhost 212.139.3.131 1042 0 blockhost 212.139.3.132 1045 0 blockhost 212.139.7.80 1045 0 blockhost 212.139.7.19 1045 0 blockhost 212.139.7.140 .
listroute cookie
- cookie is a 32-bit unsigned value
This command is used to list the routes.
Possible responses:
- <timestamp> <cookie> listroute [-]
- <timestamp> <cookie> listroute-failed [-]
Here's an example listroute report:
1147222080.950994 903041 listroute - D 0.0.0.0 172.16.100.1 D 172.16.111.0/24 172.16.100.2 D 172.16.112.0/24 172.16.100.2 D 172.16.113.0/24 172.16.100.2 I 172.16.114.0/24 I 172.16.115.0/24 I 172.16.116.0/24 S 172.16.116.128/23 172.16.116.90 N 172.16.116.54 N 172.16.116.54 D 172.16.117.0/24 172.16.100.4 D 172.16.118.0/24 172.16.100.4 D 172.16.119.0/24 172.16.100.4 .

First is a character that describes the route type:
Static
Dynamic
Interface
Null zero

Next is the destination address or network. Last is the optional gateway address or network.
nonullzero cookie addr [-]
nonullzero cookie addr/netwidth [-]
nonullzero cookie addr netmask [-]
- cookie is a 32-bit unsigned value
- addr is the ip address to remove the null zero route for
- netwidth is an optional network width (e.g. 131.243.1.0/24)
- netmask is an optional network mask (e.g. 255.255.255.0
- optional multi-line text is logged
This command is used to remove a null zero route for a host.
The command accepts a comment allowing a client to document why the null zero route is being removed.
Possible responses:
- <timestamp> <cookie> nonullzero [-]
- <timestamp> <cookie> nonullzero-failed [-]
nofilter cookie addr [-]
- cookie is a 32-bit unsigned value
- addr is the ip address to remove from the filter list
- optional multi-line text is logged
This command is used to filter block access by address.
The command accepts a comment allowing a client to document why the filter is being removed.
Possible responses:
- <timestamp> <cookie> nofilter [-]
- <timestamp> <cookie> nofilter-failed [-]
Here's an example nofilter command:
nofilter 123 198.137.240.92

The response might be:
1273273238.702409 123 nofilter

or:
1273273238.702409 123 nofilter - 198.137.240.92 not found .
nullzero cookie addr [-]
nullzero cookie addr/netwidth [-]
nullzero cookie addr netmask [-]
- cookie is a 32-bit unsigned value
- addr is the ip address to create a null zero route for
- netwidth is an optional network width (e.g. 131.243.1.0/24)
- netmask is an optional network mask (e.g. 255.255.255.0
- optional multi-line text is logged
This command is used to isolate a host by installing a null zero route for it.
The command accepts a comment allowing a client to document why the null zero route is being installed.
Possible responses:
- <timestamp> <cookie> nullzero [-]
- <timestamp> <cookie> nullzero-failed [-]
Here's an example nullzero command:
nullzero 16711728 212.139.15.101 - Infected with a virus .

The response might be:
1143685680.182807 16711728 nullzero

or:
1143685680.182807 16711728 nullzero - Note: There is already a null zero route for 212.139.15.101 .
permittcpdsthostport cookie addr port [-]
permitudpdsthostport cookie addr port [-]
- cookie is a 32-bit unsigned value
- addr is the ip address
- port is the tcp port
This command is used to install an exception for a specific host and tcp port.
The command accepts a comment allowing a client to document why the acl is being installed.
Possible responses:
- <timestamp> <cookie> permittcpdsthostport [-]
- <timestamp> <cookie> permittcpdsthostport-failed [-]
filter cookie addr [-]
- cookie is a 32-bit unsigned value
- addr is the ip address to add to the filter list
- optional multi-line text is logged
This command is used to filter block access by address.
The command accepts a comment allowing a client to document why the filter is being applied.
Possible responses:
- <timestamp> <cookie> filter [-]
- <timestamp> <cookie> filter-failed [-]
Here's an example filter command:
filter 123 198.137.240.92 - block port scanner .

The response might be:
1273273238.702409 123 filter

or:
1273273238.702409 123 filter - Note: 198.137.240.92 is already filtered .
query cookie addr
query cookie addr/netwidth
query cookie addr netmask
- cookie is a 32-bit unsigned value
- addr is the ip address to query
- netwidth is an optional network width (e.g. 131.243.1/24)
- netmask is an optional network mask (e.g. 131.243.1 255.255.255.0)
This command is used to determine if an address is blocked or not.
Possible responses:
- <timestamp> <cookie> query [-]
- <timestamp> <cookie> query-failed [-]
Here's an example query report:
1024632280.869878 123401 query - acl OUTSIDE 1002 45 blockhost 64.111.222.33 .

The first line documents which ACL the rule is in. The second line is the same as the listacl report would show.
queryfilter cookie addr [-]
- cookie is a 32-bit unsigned value
- addr is the ip address to add to check
- optional multi-line text is logged
This command is used to check for filter block memmbership by address.
Possible responses:
- <timestamp> <cookie> queryfilter [-]
- <timestamp> <cookie> queryfilter-failed [-]
Here's an example queryfilter command:
queryfilter 198.137.240.98

The response might be:
1273273238.702409 123 queryfilter - 198.137.240.98 .

or:
1273273238.702409 123 queryfilter-failed - 131.243.2.202 not found .
querynullzero cookie addr [-]
- cookie is a 32-bit unsigned value
- addr is the ip address to add to check
- optional multi-line text is logged
This command is used to check an address for memmbership on the null zero list.
Possible responses:
- <timestamp> <cookie> querynullzero [-]
- <timestamp> <cookie> querynullzero-failed [-]
Here's an example querynullzero command:
querynullzero 198.137.240.98

The response might be:
1273273238.702409 123 querynullzero

or:
1273273238.702409 123 querynullzero - Note: 198.137.240.98 is already nullzero routed .
querywhitelist cookie addr
querywhitelist cookie addr/netwidth
querywhitelist cookie addr netmask
- cookie is a 32-bit unsigned value
- addr is the ip address to check
- netwidth is an optional network width (e.g. 131.243.1/24)
- netmask is an optional network mask (e.g. 131.243.1 255.255.255.0)
This command is used to determine if an address or network is on the whitelist.
Possible responses:
- <timestamp> <cookie> querywhitelist [-]
- <timestamp> <cookie> querywhitelist-failed [-]
Here's an example querywhitelist report:
1208125354.869878 66580 querywhitelist - 172.16.192.177 .

This shows that the requested address is on the whitelist. If the specified address was whitelisted by a network rule, the network and mask would have been displayed.
reload cookie
- cookie is a 32-bit unsigned value
This command requests that the daemon kill expect child process, reload the daemon configuration file and restart the child process.
Note that as a side effect, all client connections are terminated.
Response:
- <timestamp> <cookie> reload [-]
remwhitelist cookie addr [-]
remwhitelist cookie addr/netwidth [-]
remwhitelist cookie addr netmask [-]
- cookie is a 32-bit unsigned value
- addr is the ip address to block
- netwidth is an optional network width (e.g. 131.243.1.0/24)
- netmask is an optional network mask (e.g. 255.255.255.0
- optional multi-line text is logged
This command is used to remove a whitelist address or network.
The command accepts a comment allowing a client to document why the entry is being removed.
Possible responses:
- <timestamp> <cookie> remwhitelist [-]
- <timestamp> <cookie> remwhitelist-failed [-]
restore cookie addr [-]
restore cookie addr/netwidth [-]
restore cookie addr netmask [-]
- cookie is a 32-bit unsigned value
- addr is the ip address to unblock
- netwidth is an optional network width (e.g. 131.243.1.0/24)
- netmask is an optional network mask (e.g. 131.243.1 255.255.255.0)
- optional multi-line text is logged
This command is used to unblock access by address.
The command accepts a comment allowing a client to document why the block is being lifted.
Possible responses:
- <timestamp> <cookie> restore [-]
- <timestamp> <cookie> restore-failed [-]
restorehosthost cookie addr1 addr2 [-]
- cookie is a 32-bit unsigned value
- addr1 and addr2 is the ip address pair to unblock
- optional multi-line text is logged
This command is used to remove a address pair block.
The command accepts a comment allowing a client to document why the block is being lifted.
Possible responses:
- <timestamp> <cookie> restorehosthost [-]
- <timestamp> <cookie> restorehosthost-failed [-]
restoretcpdsthostport cookie addr port [-]
restoreudpdsthostport cookie addr port [-]
- cookie is a 32-bit unsigned value
- addr is the ip address
- port is the tcp port
- optional multi-line text is logged
This command is used to unblock access by port.
The command accepts a comment allowing a client to document why the block is being lifted.
Possible responses:
- <timestamp> <cookie> restoretcpdsthostport [-]
- <timestamp> <cookie> restoretcpdsthostport-failed [-]
restoretcpport cookie port [-]
restoreudpport cookie port [-]
- cookie is a 32-bit unsigned value
- port is the tcp or udp port to unblock
- optional multi-line text is logged
This command is used to unblock access by port.
The command accepts a comment allowing a client to document why the block is being lifted.
Possible responses:
- <timestamp> <cookie> restoretcpport [-]
- <timestamp> <cookie> restoreudpport [-]
- <timestamp> <cookie> restoretcpport-failed [-]
- <timestamp> <cookie> restoreudpport-failed [-]
state cookie
- cookie is a 32-bit unsigned value
This command requests the ACL blocker to report on its current state.
Possible responses:
- <timestamp> <cookie> state [-]
- <timestamp> <cookie> state-failed [-]
Here's an example state report:
1024631592.946718 107774 state - # state loggedin # version 0.2 # config "/usr/local/etc/acld.conf" router "10.0.0.2" expect "/usr/local/bin/expect" script "cisco8500.expect" whitelist "whitelist.txt" port 1776 netsfac local1 sync_secs 86400 incrseq 1 seqrange 5000 65000 maxseq 7600 # lastseq for ACL LOCAL is 5495 # lastseq for ACL OUTSIDE is 46490 # acllen for ACL LOCAL is 56 # acllen for ACL OUTSIDE is 1973 # whitelistlen 369 acl LOCAL 128.3.0.0/16 acl OUTSIDE default interface gigabitethernet 0/0 OUTSIDE interface gigabitethernet 0/2 LOCAL nullzeronet 128.3.0.0/16 nullzeronet 192.16.0.0/16 nullzeromax 8000 # nullzerolen is 15 .

The ACL blocker is using the expect script "cisco8500.expect" and ip address 10.0.0.2 to communicate with the router.
unpermittcpdsthostport cookie addr port [-]
unpermitudpdsthostport cookie addr port [-]
- cookie is a 32-bit unsigned value
- addr is the ip address
- port is the tcp port
- optional multi-line text is logged
This command is used to remove an exception for a specific host and tcp port.
The command accepts a comment allowing a client to document why the acl is being removed. why the block is being lifted.
Possible responses:
- <timestamp> <cookie> unpermittcpdsthostport [-]
- <timestamp> <cookie> unpermittcpdsthostport-failed [-]

Expect script summary

Command Arguments

drop
restore
addr acl seq
addr/netwidth acl seq

blockhosthost
restorehosthost
addr1 addr2

droptcpport
dropudpport
restoretcpport
restoreudpport port acl seq

droptcpdsthostport
dropudpdsthostport
permittcpdsthostport
permitudpdsthostport
restoretcpdsthostport
restoreudpdsthostport
unpermittcpdsthostport
unpermitudpdsthostport
addr port acl seq

nonullzero
nullzero
addr
addr/netwidth

login addr cuser cpass1 cpass2 euser epass1 epass2

listacl acl interface

ayt
listroute
logout
sync

Command	Arguments
drop restore	addr acl seq addr/netwidth acl seq
blockhosthost restorehosthost	addr1 addr2
droptcpport dropudpport restoretcpport restoreudpport	port acl seq
droptcpdsthostport dropudpdsthostport permittcpdsthostport permitudpdsthostport restoretcpdsthostport restoreudpdsthostport unpermittcpdsthostport unpermitudpdsthostport	addr port acl seq
nonullzero nullzero	addr addr/netwidth
login	addr cuser cpass1 cpass2 euser epass1 epass2
listacl	acl interface
ayt listroute logout sync

Expect script details

This is a really low level interface and does not contain features of the higher level interface such as timestamps.

The following expect procedures must be defined before the ACL blocker can support a router:

ayt {}
This procedure is used check if the router still responds to commands.
Possible return statuses:
- ayt [-]
- ayt-failed [-]
drop { addr acl seq }
drop { addr/netwidth acl seq }
- addr is the ip address to block
- netwidth is an optional network width (e.g. 131.243.1.0/24)
- acl is the name of the ACL
- seq is the sequence number in the access list
This procedure is used to add a block for an ip address on an ACL.
This is implemented by these steps:
- If necessary, enter ACL configure mode
- Add the rule to the ACL
Possible return statuses:
- drop [-]
- drop-failed [-]
blockhosthost { addr1 addr2 acl seq }
- addr1 and addr2 is the ip address pair to block
- acl is the name of the ACL
- seq is the sequence number in the access list
This procedure is used to add a block on an ACL for an ip address pair.
This is implemented by these steps:
- If necessary, enter ACL configure mode
- Add the rule to the ACL
Possible return statuses:
- blockhosthost [-]
- blockhosthost-failed [-]
droptcpdsthostport { addr port acl seq }
dropudpdsthostport { addr port acl seq }
- addr is the ip address
- port is the tcp port
- acl is the name of the ACL
- seq is the sequence number in the access list
This procedure is used to block a destination host port pair.
This is implemented by these steps:
- If necessary, enter ACL configure mode
- Add the rule to the ACL
Possible return statuses:
- droptcpdsthostport [-]
- droptcpdsthostport-failed [-]
droptcpport { port acl seq }
dropudpport { port acl seq }
- port is the port to block
- acl is the name of the ACL
- seq is the sequence number in the access list
This procedure is used to add a block for a tcp or udp port on an ACL.
This is implemented by these steps:
- If necessary, enter ACL configure mode
- Add port to the ACL
Possible return statuses:
- droptcpport [-]
- dropudpport [-]
- droptcpport-failed [-]
- dropudpport-failed [-]
listacl { acl interface }
- acl is the name of the ACL
- interface is the name of the interface
This procedure is used to list the contents of the ACL.
Possible return statuses:
- listacl [-]
- listacl-failed [-]
Here's an example listacl report:
1542589369.384214 998 listacl - listacl - 10 12 blockhost 194.117.194.120 15 0 blockhost 207.45.69.69 20 2 blockhost 202.96.113.20 25 0 blocknet 64.154.61.0/24 30 58 blockhost 210.233.49.116 35 0 blockhost 212.139.3.131 40 0 blockhost 212.139.3.132 45 0 blockhost 209.61.194.83 50 341 blockhost 192.102.234.119 55 174 blockhost 128.218.182.205 60 829 blockhost 193.251.23.218 65535 0 permitany .

The first number is the sequence number (or 0 if the router does not use sequence numbers). The second number is the count of how many times the ACL has matched a packet.
listroute { }
This procedure is used to list routes.
Possible return statuses:
- listroute [-]
- listroute-failed [-]
Here's an example listroute report:
1542589401.194341 16 listroute - D 0.0.0.0 172.16.100.1 D 172.16.111.0/24 172.16.100.2 D 172.16.112.0/24 172.16.100.2 D 172.16.113.0/24 172.16.100.2 I 172.16.114.0/24 I 172.16.115.0/24 I 172.16.116.0/24 S 172.16.116.128/23 172.16.116.90 N 172.16.116.54 N 172.16.116.54 D 172.16.117.0/24 172.16.100.4 D 172.16.118.0/24 172.16.100.4 D 172.16.119.0/24 172.16.100.4 .

See the listroute command for a description of the output format.
login { addr cuser cpass1 cpass2 euser epass1 epass2 }
- addr is the ip address of the router
- cuser is the connect username
- cpass1 is the primary connect password
- cpass2 is the backup connect password
- euser is the enable username
- epass1 is the primary enable password
- epass2 is the backup enable password
This procedure is used to login to the router. If the ACL blocker is not currently logged in, it will attempt to login. If it is already is logged in, it will logout and then login again.
The login procedure uses two connect and two enable passwords. If the primary password fails, the backup password is tried. This allows router passwords to be changed without a window of vulnerability.
Note that using more than two passwords can make the expect scripts more complicated (e.g. Ciscos terminate the telnet connection after three connect password failures).
Possible return statuses:
- login [-]
- login-failed [-]
logout {}
This procedure is used to logout of the router.
The child process is killed and cleaned up after.
Possible return statuses:
- logout [-]
- logout-failed [-]
nonullzero { addr }
nonullzero { addr/netwidth }
- addr is the ip address to remove the null zero route for
- netwidth is an optional network width (e.g. 131.243.1.0/24)
This procedure is used to remove a null zero route for a host.
This is implemented by these steps:
- If necessary, enter configure mode
- Remove the static null zero route
Possible return statuses:
- nonullzero [-]
- nonullzero-failed [-]
nullzero { addr }
nullzero { addr/netwidth }
- addr is the ip address to create a null zero route for
- netwidth is an optional network width (e.g. 131.243.1.0/24)
This procedure is used to isolate a host by installing a null zero route for it.
This is implemented by these steps:
- If necessary, enter configure mode
- Add a static null zero route
Possible return statuses:
- nullzero [-]
- nullzero-failed [-]
permittcpdsthostport { addr port acl seq }
permitudpdsthostport { addr port acl seq }
- addr is the ip address
- port is the tcp port
- acl is the name of the ACL
- seq is the sequence number in the access list
This procedure is used to install an exception for a specific host and tcp port in an ACL.
This is implemented by these steps:
- If necessary, enter ACL configure mode
- Add the rule to the ACL
Possible return statuses:
- permittcpdsthostport [-]
- permittcpdsthostport-failed [-]
restore { addr acl seq }
restore { addr/netwidth acl seq }
- addr is the ip address to unblock
- acl is the name of the ACL
- netwidth is an optional network width (e.g. 131.243.1.0/24)
- seq is the sequence number in the access list
This procedure is used to remove a block for an ip address on an ACL.
This is implemented by these steps:
- If necessary, enter ACL configure mode
- Remove the rule from the ACL
Possible return statuses:
- restore [-]
- restore-failed [-]
restorehosthost { addr1 addr2 acl seq }
- addr1 and addr2 is the ip address pair to unblock
- acl is the name of the ACL
- seq is the sequence number in the access list
This procedure is used to remove a block on an ACL for an ip address pair.
This is implemented by these steps:
- If necessary, enter ACL configure mode
- Remove the rule from the ACL
Possible return statuses:
- restorehosthost [-]
- restorehosthost-failed [-]
restoretcpdsthostport { addr port acl seq }
restoreudpdsthostport { addr port acl seq }
- addr is the ip address
- port is the tcp port
- acl is the name of the ACL
- seq is the sequence number in the access list
This procedure is used to remove a destination host port pair block.
This is implemented by these steps:
- If necessary, enter ACL configure mode
- Remove address and port form the ACL
Possible return statuses:
- restoretcpdsthostport [-]
- restoretcpdsthostport-failed [-]
restoretcpport { port acl seq }
restoreudpport { port acl seq }
- port is the port to unblock
- acl is the name of the ACL
- seq is the sequence number in the access list
This procedure is used to remove a block for a tcp or udp port in an ACL.
This is implemented by these steps:
- If necessary, enter ACL configure mode
- Remove the rule from the ACL
Possible return statuses:
- restoretcpport [-]
- restoreudpport [-]
- restoretcpport-failed [-]
- restoreudpport-failed [-]
sync {}
This procedure does whatever is necessary to save recent changes made to the router.
This is implemented by these steps:
- Router configuration changes are committed to nonvolatile memory
  For example, "write memory" on a Cisco or "copy running-config startup-config on a Force 10
Possible return statuses:
- sync [-]
- sync-failed [-]
unpermittcpdsthostport { addr port acl seq }
unpermitudpdsthostport { addr port acl seq }
- addr is the ip address
- port is the tcp port
- acl is the name of the ACL
- seq is the sequence number in the access list
This procedure is used to remove an exception for a specific host and tcp port in an ACL.
This is implemented by these steps:
- If necessary, enter ACL configure mode
- Remove address and port from the ACL
Possible return statuses:
- unpermittcpdsthostport [-]
- unpermittcpdsthostport-failed [-]

Implementation details

When the ACL blocker starts up it:

Reads the configuration file(s) which tell it:
- The router ip address
- The router username(s) and passwords (up to two connect and two enable)
- The router expect script
- The local port to listen for clients
- ACL configuration (ACL names, network/netmask list and interface/acl assignments)
- The number of seconds between sync commands
- The minimum and maximum sequence numbers to use
Connects to the router, logs in and gains privileges
Fetches the contents of each configured ACL
Fetches the route list
Loops waiting for client requests
Periodically check to make sure the router is still responsive to commands
Periodically tell the router to save its configuration to nonvolatile memory