acpfctrl

Last updated on 2023-01-17 08:10:43

Use Barracuda Firewall Admin to configure your unit. Do not configure your system with the acpfctrl utility unless you are advised to do so by Barracuda Networks Technical Support.

To view information and settings for the firewall module (acpf), use the acpfctrl utility.

List of all acpfctrl options:

[root@HQ-NG1:~]# acpfctrl
use: acpfctrl [acceptor addrinfo appid arp asdwnl audit auth bacl bal blockpage bridge cache clone contentid device dfbit
           flex forward forward6 fwd icmplog inbound ips landingpage l2tp lproto monitor nattable noping ppp param parp
           plugdebug quarantine realm report resume route rxqueue scada shaping sip sizes sslice slot source srvport
           start stop suspend sync term tune urlcat version]
acceptor      Acceptor info
             call with argument 'count' to get acceptor statistics
addrinfo      Addrinfo cache 
appid         Appid information, configuration and parameters
arp           ARP request interface matching
asyncdownload Configure asynchronous downloads 
audit         Audit log control
auth          Authentication control ;user-addr mapping
bacl          Box access control list
bal           Balance handling and management
blockpage     Manage and display blocking page
bridge        Bridging group manipulation
cache         Cache control
cacheadd      Add entry to scan cache
clone         Clone packet to other host via UDP
contentid     Change ContentId settings
crashreport   Report a summary of useful informations in case of a crash or oops.
device        Show device information
dfbit         Global clearing of DF bit for vpn tunnels
flex          Flex setup and information
forward       Turn forwarding on/off
forward6      Turn ipv6 forwarding on/off
fwd           Passthru forwarding (Generic Forwarders)
icmplog       Log ICMP messages
inbound       Inbound info
ips           IPS control
l2tp          L2TP device handling
landingpage   Manage landing page rules
lproto        Locally handled IP Protocols
monitor       Monitoring (packet capture) information and parameters
nattable      Plugin nattables
noping        Non local ECHO handled IPs
noping6       Non local icmp6 ECHO handled IPs
ppp           Port protocol protection info
param         ACPF parameters
parp          Proxy ARP control
plugdebug     Plugin debuglevel
quarantine    Quarantine Groups
realm         Device realm assignment
report        Set packet drop reporting
resume        Acpf wakeup call
route         DstIP srcIP inDev
rxqueue       Manage rx queue number and filter for network cards with 82598 and 82599 chipset.
scada         SCADA related settings
shaping       Traffic shaping
sip           SIP call table
sizes         Show struct size info
slot          Slot info
source        Source info
srvport       Service to Port Mapping
sslice        Sslice and AV scanning configuration 
start         Load module, caches and rules
stat          Slot statistics
stop          Save caches and unload module
suspend       Seconds put to sleep for n seconds
sync          TF sync control
term          Terminate slots
trafficstat   Show some traffic statistics
tune          Tuning control
urlcat        urlcat info and parameters
user          user information
vrf           virtual routing and forwarding
webmsg        web access syslog forwarding

Options

start

Starts the acpf module and imports the Forwarding Firewall rules and access cache.

stop

Stops the acpf module. The firewall is stopped. Rules and the access cache are saved.

The acpf can only be stopped if its dependent services are also stopped. Before using the acpfctrl stop command, block the firewall services on the server and on the system by using the phionctrl module block firewall and phionctrl box block boxfw commands. For more information, see phionctrl.

parp show

Displays all proxy ARP entries for the firewall.

[root@ash:/var/phion/logs]# acpfctrl parp show
       noext 10.0.10.208/4 MVPN

noping show

Displays all IP addresses that are set to noping .

bacl show

Displays all box access control list entries.

lproto show

Displays the locally handled IP protocols.

realm show

Displays the device realm assignment. The following realms are available:

0unknown
1intern
2dmz
3extern
4persvpn
5fwvpn
6iptun
7usr

device

Displays information about all devices for debugging.

Example 1:

[root@HQ-NG1:~]# acpfctrl device show
lo               index=1 realm=opsys
             port=unknown base=00000000 irq=0 dma=0
             state=XOFF START
             mtu=3500 type=LOOPBACK
             mac=00:00:00:00:00:00 brd=00:00:00:00:00:00 num_mc=0
             flags=UP LOOPBACK
             features=SG/IO NO-CSUM HIGH-DMA FRAGLIST
             refcnt=21 watchtime=0
             last_rx=1.9656e+06 secs last_tx=1.9656e+06 secs
             rx=0/0 tx=0/0 rx-err=0 tx-err=0 colls=0

eth0             index=2 realm=intern
             port=unknown base=00000000 irq=0 dma=0
             state=XOFF START
             mtu=1500 type=ETHER
             mac=00:0c:29:22:84:70 brd=ff:ff:ff:ff:ff:ff num_mc=1
             flags=UP BROADCAST
             features=HW-CSUM HIGH-DMA HW-VLAN-TX HW-VLAN-RX HW-VLAN-FILTER
             refcnt=44 watchtime=5000
             last_rx=1.9656e+06 secs last_tx=1.96809e+06 secs
             rx=1569875/1420438899 tx=656119/161707104 rx-err=0 tx-err=0 colls=0

sync

Prints the sync state of the system to the standard output.

[root@HQ-NG1:~]# acpfctrl sync show
Mode:            OFF
Cookie:          cb014880
SyncNumber:      1
Server:          VIRT1
Partner:         DOWN
Source:          10.0.10.88:689
Destination:     0.0.0.0:689
KeyIndex:        0
Key1:            00000000000000000000000000000000
Key2:          00000000000000000000000000000000
A Unsynced       0
A Synced         0
A Unsynced Close 0
A Synced Close   0
P Synced         0
P Synced Close   0
A SIP Unsynced       0
A SIP Synced         0
A SIP Unsynced Close 0
A SIP Synced Close   0
P SIP Synced         0
P SIP Synced Close   0

plugdebug

Dumps debug messages of a specified plugin to the appliance firewall log.

acpfctrl plugdebug <plugin name> 1 – Enables the dumping of debug messages.
acpfctrl plugdebug <plugin name> 0 – Disables the dumping of debug messages.

The output for the plugdebug parameter is used by Barracuda Networks Technical Support.

param

Displays the parameter settings for the appliance.

version

Displays the acpf version.

[root@chefix:~]# acpfctrl version
PhionVersionString R-3.2_V-3.2.0.1 Nov  8 2005 18:53:18

tune kernel

Checks the Use Kernel Ruleset parameter in the operational settings of the general firewall configuration and displays the status.

acpfctrl tune kernel on – Temporarily enables the Use Kernel Ruleset function until reboot.
acpfctrl tune kernel off – Temporary disables the Use Kernel Ruleset function until reboot.

tune vpnbypass

To properly use tcpdump to troubleshoot or monitor VPN traffic, all VPN traffic must be handled by one CPU. Only use this option temporarily because disabling vpnbypass considerably reduces the performance of the VPN service.

acpfctrl tune vpnbypass on – VPN traffic is handled by multiple CPUs.(default)
acpfctrl tune vpnbypass off – VPN traffic is handled by a single CPU, allowing tcpdump to show all VPN traffic.

vrf

The partial command vrf provides a subset of more vrf-related commands:

The following commands are to be exclusively used by authorized Barracuda Networks Support experts only!

Do not use the following commands unless you are authorized by Barracuda Networks Support experts!

acpfctrl vrf create [vrfname] [vrfid] – Creates a VR instance with the given name and ID.

acpfctrl vrf delete [vrfname] – Deletes a VR instance with the given name.

acpfctrl vrf exec [vrfname] [cmd] (restricted to acpfctrl commands) – Executes a shell command in the context of the named VR instance.

acpfctrl vrf identify [pid] – Shows the VR instance a user is connected to via the CLI.

acpfctrl vrf event – In case there are events available for the VR instance, this will produce a list.

acpfctrl vrf show – Lists all VR instances configured on the box.