To reduce the amount of time necessary to install host block acls
on the router,
keeps a persistent connection open.
- acl
-
Associate ACL names with networks, for example:
acl
LOCAL 10.0.0.0/16
acl
LOCAL 192.1.100.0/24
acl
LOCAL6 2009:900:0A32::/48
acl
BRO
0.0.0.0/0
acl
BRO6
::/0
These allow
to determine which ACL to add or remove blocks from.
At least one ACL must be specified.
- attr
-
Specify one or more ACL attribute. Currently this is only used to
identify IPv6 acls which require special handling by the router.
Examples:
attr
LOCAL6 ipv6
attr
BBRO6 ipv6
- ayt_secs
-
Specify the number of seconds between checks to make sure the router
is still alive, for example:
ayt_secs
120
This option defaults to 600 seconds. Setting it to zero disables
the feature.
- bindaddr
-
Specify the local address to bind to, for example:
bindaddr
0.0.0.0
This option defaults to 127.0.0.1.
- broaddr
-
Specify the local address to bind to for Broccoli requests, for
example:
broaddr
0.0.0.0
This option defaults to the address used for
bindaddr
- cforceaddr
-
Specify the ip address or hostname used to connect to the cForce blocking
appliance as a sring, for example:
cforceaddr
Qq 10.10.10.99
This option is required when using
with a cForce blocking appliance.
- cforcedata
-
Configure the data file used to store persistent cForce blocking
appliance block information.
cforcedata
Qq Pa /var/tmp/cforce.data
This file contains a copy of block information in the cForce appliance
and is used to restore state to the appliance when
starts.
This option defaults to
/var/run/cforce.data
- cpass1
-
Specify the primary connect password, for example:
cpass1
Qq easypass
- cpass2
-
Specify the backup connect password. This is tried if logging in
with the primary connect password fails.
- cuser
-
Specify the connect username, for example:
cuser
Qq admin
- epass1
-
Specify the primary enable password.
- epass2
-
Specify the backup enable password.
- euser
-
Specify the enable username.
- expect
-
Configure the path to the expect binary, for example:
expect
Qq Pa /usr/local/bin/expect
This option is required when using
with a router.
- incrseq
-
If true (1) new sequence numbers are incremented. If false (0) new
sequence numbers are decremented. By default, new sequence numbers
are incremented.
- id
-
Specify an optional word to be added to the nets_log(), for example:
id
Qq wireless
adds:
id=wireless
to each nets_log() syslog line.
- ipv4_width
-
Set the widest IPv4 cidr block that can be dropped. By default /24
cidr blocks may be dropped. This may not be set lower than /16.
- ipv6_width
-
Set the widest IPv6 cidr block that can be dropped. By default /64
cidr blocks may be dropped. This may not be set lower than /32.
- interface
-
Associate interface names with ACL names, for example:
interface
fastether 0/0 BRO
interface
fastether 0/1 LOCAL
- limit
-
Create a group of acls that have a combined limit on the maximum
number of acls. Some routers constrain the maximum of number of
acls on a per slot or blade basis and this option allows corresponding
ACL limits to be set. For example if the acls LOCAL and BRO are
subject to one limit and LOCAL6 and BRO6 another you might use the
following:
limit
3000 LOCAL BRO
limit
1500 LOCAL6 BRO6
- login_secs
-
Specify the number of seconds between login attempts, for example:
login_secs
10
This option may not be set to zero.
- maxseq
-
Configure the maximum number of rules per ACL
will use, for example:
maxseq
7600
will refuse to add new acls once this limit has been reached.
It's possible to see the current ACL size for each configured ACL
by looking at the
acllen
comment line of the output from the
state
command.
- netsfac
-
Configure the syslog() priority to use with nets_log(), for example:
netspri
local0
This tells
to use local0. The default is daemon.
- nullzeromax
-
Configure the maximum number of nullzero routes
will use, for example:
nullzeromax
5000
will refuse to add new nullzero routes once this limit has been reached.
It's possible to see the current ACL size for each configured ACL
by looking at the
nullzerolen
comment line of the output from the
state
command.
- nullzeronet
-
Configure a network (with mask) that is allowed to have
nullzero routes.
For example:
nullzeronet
10.0.0.0/24
nullzeronet
192.1.100.36/30
If there are no
nullzeronet
statements in the config,
will allow any addresses to be added subject to a maximum mask
width of /24 (and the whitelist check).
It's possible to see the list of nullzeronets by looking
by looking at the
nullzeronet
lines in the output from the
state
command.
- permithostportseqrange
-
Configure the lowest and highest sequence numbers
will use for permit host port acls. If these are not configured, the
permittcphostport,
and
unpermittcphostport
commands will be disabled.
- port
-
Specify the local port
will listen to for clients, for example:
port
666
This option is required and may not be set to zero.
- portbro
-
Specify the port
listens for Broccoli requests.
- portcforce
-
Specify the port used to connect to the cForce blocking appliance.
This option is required when using
with a cForce blocking appliance.
- portro
-
Specify the local port
will listen to for read/only clients. Clients connecting to this
port will not be able to issue requests that change anything.
This optional option has the same syntax is the same as the
port
option.
- portseqrange
-
Configure the lowest and highest sequence numbers
will use for port blocks. If these are not configured, the
dropudpport
restoreudpport
droptcpport
and
restoretcpport
commands will be disabled.
- portweb
-
Specify the local port
will listen to for web registration clients. Clients connecting to
this port will only be able to issue
permittcpdsthostport
and
unpermittcpdsthostport
requests for port 80 and 443.
This optional option has the same syntax is the same as the
port
option.
- router
-
Configure the router hostname or ip address, for example:
router
Qq 10.0.0.1
This option is required when using
with a router.
- script
-
Specify the expect script to use, for example:
script
Qq Pa force10.expect
This option is required when using
with a router.
- select_secs
-
Specify the default number of seconds in the select loop, for example:
select_secs
300
This option defaults to 600 seconds may not be set to zero.
- seqrange
-
Configure the lowest and highest sequence numbers
will use for host blocks, for example:
seqrange
30000 65500
- sync_secs
-
Specify the default number of seconds in the select loop, for example:
sync_secs
1200
This option defaults to 1800 seconds and can be set to zero if the
feature is not desired.
- whitelist
-
Configure the path to the whitelist file, which is used to specify
hosts and networks that which may not dropped or null zero routed.
For example:
whitelist
Qq Pa whitelist.txt
The format of the whitelist file is one address or network (with
width) per line. Lines beginning with '#' are treated as comments.
It's possible to display the current whitelist with the
whitelist
command.