home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
ftp.ee.lbl.gov
/
2014.05.ftp.ee.lbl.gov.tar
/
ftp.ee.lbl.gov
/
acld-1.11.tar.gz
/
acld-1.11.tar
/
acld-1.11
/
INSTALL
< prev
next >
Wrap
Text File
|
2011-05-18
|
7KB
|
200 lines
@(#) $Id: INSTALL 736 2011-05-18 23:00:13Z leres $ (LBL)
To build acld run ./configure (a shell script) and then use make
to compile the binary.
To use acld you will need to build and install expect. The one in
FreeBSD's /usr/ports works nicely:
/usr/ports/lang/expect
The expect language port depends on tk/tcl.
acld.conf.sample shows a setup for a Force 10 router. Force 10
routers support individual user accounts; create a acld user using:
conf
username acld password 0 CLEARTEXTPASS privilege 15
exit
copy running-config startup-config
If you later need to change the password, use:
username acld password 0 CLEARTEXTPASS
The force10 expect script uses a program called socket to connect
to acld. It's available as a FreeBSD port
/usr/ports/sysutils/socket
or can be downloaded here:
http://wolfram.schneider.org/src/socket-1.1.tar.gz
On a cisco, you need to configure both the connect and enable
passwords.
Communications using Broccoli is supported; it can be downloaded
from here:
http://www.icir.org/christian/downloads/
Broccoli support is enabled if broccoli-config is found on PATH.
You can force support to be enabled using:
./configure --with-broccoli
This has the advantage that configure will abort if it can't find
Broccoli.
Note that there's a bug in Broccoli 1.5.0 and earlier that prevents
the use of empty passphrases with openssl certificates. Included
with this distribution is a patch that fixes this Broccoli bug:
patch-broccoli-1.5.0-src-bro_lexer.l
When acld includes Broccoli support, it can field events generated
by Bro to block hosts. A Bro module called acld.bro is included
that provides functions acld::acld_block() and acld::acld_unblock()
to block and unblock hosts. It has provides an event handler called
acld::acld_reply() that can be used by Bro to learn the result of
a For example, an unblock might have failed or a block might have
succeeded but the host might have already been blocked.
Finally, aclc is a Broccoli program that can be used from the command
line. It pretty much can do everything the acl.exp script does.
When using acld with Broccoli between hosts, it's recommended that
you use ssl. Here are quick start instructions.
Start by downloading and installing create-cert:
ftp://ee.lbl.gov/create-cert.tar.gz
This is a script that uses openssl(1) to create self-signed host
certificates and private keys. It shields you from the many questions
openssl asks and instead stores the answers in a configuration file.
Once this is installed on the server machine (where acld will run),
create a self signed rootca and server and client keys:
mkdir -p /usr/local/etc/acld-certs/run
chown nobody:nobody /usr/local/etc/acld-certs/run
cd /usr/local/etc/acld-certs
% Create default config
create-cert -I
% Customize config
vi etc/openssl.conf
% Create self-signed rootca
create-cert -R
% Create server and client certs
create-cert server.lbl.gov
create-cert client1.lbl.gov
[etc.]
Unfortunately, Broccoli requires the private key and public host cert
to be in the same file. So there's an extra step:
% cat private/server.lbl.gov.key certs/server.lbl.gov.pem > \
private/server.lbl.gov.key+crt
% cat private/client1.lbl.gov.key certs/client1.lbl.gov.pem > \
private/client1.lbl.gov.key+crt
Copy the client key and everything in the certs directory to the
client:
rdist -R -c \
/usr/local/etc/acld-certs/private/client1.key \
/usr/local/etc/acld-certs/private/client1.key+crt \
/usr/local/etc/acld-certs/certs \
client1.lbl.gov
On the acld server, configure broccoli.conf with something similar
to:
/broccoli/use_ssl yes
/broccoli/ca_cert /usr/local/etc/acld-certs/certs/rootca.pem
/broccoli/host_cert /usr/local/etc/acld-certs/private/server.lbl.gov.key+crt
/broccoli/host_pass ""
On a client host that will (for example) run aclc, use:
/broccoli/use_ssl yes
/broccoli/ca_cert /usr/local/etc/acld-certs/certs/rootca.pem
/broccoli/host_cert /usr/local/etc/acld-certs/private/client1.lbl.gov.key+crt
/broccoli/host_pass ""
On a client host that will run Bro, use:
redef ssl_ca_certificate = "/usr/local/etc/acld-certs/certs/rootca.pem";
redef ssl_private_key = "/usr/local/etc/acld-certs/private/client1.lbl.gov.key+crt";
redef ssl_passphrase = "";
FILES
-----
CHANGES - description of differences between releases
FILES - list of files exported as part of the distribution
INSTALL - this file
Makefile.in - compilation rules (configure script template)
README - description of distribution
VERSION - version of this release
acl.c - ACL manipulation routines (configure script template)
acl.exp.in - acld interface script (configure script template)
acl.h - prototypes, defines and struct definitions
aclc.8 - man page
aclc.c - Broccoli client
aclcompact.sh.in - cron job script to compact acls (configure script template)
acld-init.d.sh.in - Linux /etc/init.d script (configure script template)
acld.8 - man page
acld.bro - Bro interface script
acld.c - main program
acld.conf.sample - sample acld configuration
acld.h - prototypes, defines and struct definitions
acld.sh.in - FreeBSD rc.d script (configure script template)
aclfw.sh.in - rc.d script to restore ipfw blocks on bootup (template)
aclocal.m4 - autoconf macros
broccoli.c - Broccoli routines
broccoli.h - prototypes, defines and struct definitions
cf.c - configuration parsing routines
cf.h - prototypes, defines and struct definitions
cforce.c - cForce blocking appliance routines
cforcep.h - prototypes, defines and struct definitions
check_acld.py.in - nagios acld plugin (configure script template)
child.c - expect process routines
child.h - prototypes, defines and struct definitions
cisco.expect - Cisco version of the expect script
client.c - client routines
client.h - prototypes, defines and struct definitions
config.guess - autoconf support
config.sub - autoconf support
configure - configure script (run this first)
configure.in - configure script source (configure script template)
daemon.c - replacement when libc daemon() is missing
debug.expect - debugging version of the expect script
force10-telnet.expect - Force 10 version of the expect script (telnet)
force10.expect - Force 10 version of the expect script (ssh)
inet_aton.c - replacement when libc inet_aton() is missing
install-sh - BSD style install script
io.c - server routines
io.h - prototypes, defines and struct definitions
ipfw.expect - ipfw version of the expect script
lbl/gnuc.h - gcc macros and defines
mkdep - construct Makefile dependency list
patch-broccoli-1.5.0-src-bro_lexer.l - Broccoli lexer patch
route.c - routing routines
route.h - prototypes, defines and struct definitions
server.c - server routines
server.h - prototypes, defines and struct definitions
setsignal.c - OS independent signal() with BSD semantics
setsignal.h - prototypes, defines and struct definitions
stats.c - statistics routines
stats.h - prototypes, defines and struct definitions
strerror.c - replacement when libc strerror() is missing
timer.c - timer routines
timer.h - prototypes, defines and struct definitions
util.c - utility routines
util.h - prototypes, defines and struct definitions
version.h - prototypes, defines and struct definitions
whitelist.c - whitelist routines
whitelist.h - prototypes, defines and struct definitions