51 Security

Learning, Sharing, Creating

Security

Barracuda Basic Firewall Access-list Policy Lab

Bynetsec

Jan 10, 2023

This post is a continuous post from previous one Barracuda CloudGen Firewall F12 Initial Configuration Lab.

In this post, I am gonna show you how to configure WAN / LAN interfaces, how to create your own forwarding access rule, plus Destination NAT rule. 

Related post:

Topology

 

Online PNG Format Topology Diagram:

Configure Interfaces

In our previous post Barracuda CloudGen Firewall F12 Initial Configuration Lab, we already have configured our mgmt port , Port 1. Now, based on our topology, we are going to configure other two ports:
  • LAN – Port 2
  • WAN – Port 4

Go to Configuration – IP Configuration – Shared Networks and IPs:

Add LAN and WAN interfaces in with corresponding configuration:
For easy troubleshooting purpose, don’t forget enable the option: Responds to ping, when you are configuring LAN/WAN port. That will make your firewall LAN/WAN port ping-able. 

Firewall Rule Settings

Traffic Criteria

 These settings define the traffic that will be handled by the rule:

Setting

Description

Bi-Directional

If the rule must
be applied to traffic going
to and from the specified source and destination, select this check
box.

Source

The source IP addresses of the traffic.

Service

The IP protocol used
or, with TCP/UDP, the relevant IP protocol and port for
the traffic.

Destination

The destination IP addresses/netmask of the traffic.

 

Authenticated User

The
authenticated users and groups who are affected by this rule. For more information, see Firewall
Authentication. If the rule requires user authentication at the firewall, the
rule is depicted with an icon
in

the Name column in the rule overview window.

 

Rule Activation

 These settings specify if the rule is active and how long it should be active: 

Setting

Description

 

Dynamic Rule

If the rule must
be dynamically activated and deactivated for set periods
of time, select this check box. For more
information on configuring dynamic rules, see
How to Activate a Dynamic Firewall Rule.

 

 

Deactivate Rule

To deactivate the rule, select
this check box. To reactivate the rule, clear
this check box.

 

To hide inactive rules in the rule set, click the Show/Hide Inactive Rules icon
in the navigation bar. It is the first
icon on the top right
of the rule
set.



Action and Connection

 The Action setting specifies how the Barracuda NG Firewall handles traffic that matches the rule criteria. These are the options that you can select:

There are quite a few different actions for your rules, 
  • Block
  • Deny
  • Pass
  • DST NAT
  • MAP
  • App Redirect
  • Broad-Multicast
  • Cascade

Action

Description

Block

Ignores the traffic and does not answer any matching packets.

 

 

Deny

Dismisses traffic and sends the following:

  TCP-RST (for TCP requests)

ICMP Port Unreachable (for UDP requests)

  ICMP Denied
by Filter (for
other IP protocols) to the source.

Pass

Passes the
network traffic to the specified destination.

Dst NAT

Rewrites
the destination IP address and port. You can specify the connection type; this
lets you use
source NAT and destination NAT
together.

 

Map

Maps one
destination IP address or subnet to another IP object. The map is also available the reversed way.

For this
action, you can select either
client (destination NAT) or any predefined translation map for the connection type.

 

App Redirect

Redirects the
traffic to a local application (transparent proxying).

 

Advanced parameters and timeouts of this type
behave like in the local
firewall.

Broad Multicast

Propagates the traffic to multiple interfaces. This action is only needed
with bridging.

Cascade

Specifies that the traffic
must be processed by a subset of the main rule set.

Cascade Back

If the traffic does not match any rules in a rule subset specified by a Cascade

rule, use this action
to direct traffic
handling to the main rule
set.

Execute

The traffic is piped into the STanDard IN (STDIN) of a program
running on the server.

Depending on the Action of the rule, you can select a Connection
Method that specifies how the source,
destination, or service of the traffic is manipulated as it passes the Barracuda
NG Firewall. This setting typically
specifies the outgoing source IP address for address translation. The following Connection Method options are available:

 

Connection Method

Description

<explicit-conn>

Lets you define the IP address
used to perform
source network address translation (NAT).

 

Dynamic Scr NAT

Performs
source NAT for the defined
connection. The source IP address of network packets will be manipulated
dynamically, according to the routing table
of the Barracuda NG Firewall.

Loopback

Performs source
NAT with the loopback IP address of 127.0.0.1.

No Src NAT

No source NAT is
performed.

Source
NAT with DHCP | ISDN | UMTS | xDSL

Performs source NAT with the IP address of the specified
network interface type (DHCP, ISDN,
UMTS, or xDSL). The firewall does not perform a routing table
lookup.

Source NAT with VIP

Performs source
NAT with the VIP address
of the remote
management tunnel. The firewall does
not perform a routing table
lookup.

Src NAT 1st Server
IP

Performs
source NAT with the 1st Server IP address. The firewall does not
perform a routing
table lookup.

Src NAT 2nd Server
IP

Performs
source NAT with the 2nd Server IP address. The firewall does not
perform a routing table.

 


Traffic Modification and Inspection

These settings specify if the traffic
is modified or inspected: 

Setting

Description

Redirect Target

This setting
is for rules
with the Action set
to Dst Nat, App Redirect, or Map. In this section, you can specify
the outgoing destination IP address for address translation.

 

You can select
the following policies:

 

 

IPS Policy The traffic is inspected by the IPS engine according to the selected

 

IPS policy.

 

 

Application Policy The traffic is inspected according to the selected application

 

policy. For more information, see
Layer 7 Application Control.

Policy

 

Time Objects If Dynamic
Rule is enabled,
select the required
Time Object.

 

 

QoS Band (Fwd)
Traffic in the forward direction is handled according to the

 

selected QoS Band. For more information,
see Traffic Shaping.

 

 

QoS Band (Reply) Traffic in the reverse direction is handled according to the

 

selected QoS Band.

 


Configure Pass Forwarding Firewall Rule

In this lab, we are gonna create a pass action rule, which is Allow rule in other vendor’s firewall. 


Pass access rule permits traffic for a specific Service coming from the Source to access the selected Destination . For the Source and Destination , you can specify network objects, IP addresses, networks, or geolocation objects .

pass_rule.png

Note: https://campus.barracuda.com/product/cloudgenfirewall/doc/79462929/how-to-create-a-pass-access-rule/

Configure Destination NAT Firewall Rule

A Dst NAT access rule redirects traffic that is sent to an external IP address to a destination in the internal network. The following example shows a Dst NAT rule allowing HTTP and HTTPS access from the Internet to a server in the DMZ (172.16.0.10). The redirect target can be a single IP address or hostname, or a network object. Hostnames and IP addresses can be appended with a port number to redirect the traffic to a different port.

Note: https://campus.barracuda.com/product/cloudgenfirewall/doc/79462926/how-to-create-a-destination-nat-access-rule/

Video


By netsec

Related Post

Security Software

CIS CAT Pro Dashboard Installation

Dec 19, 2023 Jon
Security

Email Security to Protect Your Sent Emails From Your Domain (Office 365)

Oct 25, 2023 Jonny
Security

One Command To Send Spoofing Test Email Easily & One DNS Record to Prevent Phishing For Your Domain

Oct 25, 2023 Jonny

Leave a Reply

You missed

VPN

Use V2rayN (V2ray Client) to Protect Your Online Privacy & Bypass Internet Censorship

2024-12-06 netsec
Fortigate

Config Fortigate Traffic Shaping

2024-12-06 netsec
Cloud

Microsoft Intune Deploy Guide and Device Onboarding Process

2024-12-06 netsec
Fortigate

Fortigate NGFW Solution

2024-12-06 netsec