Create service objects to reference IP protocols and, if TCP/UDP is used, the destination port numbers, when configuring access rules. The Barracuda CloudGen Firewall provides a range of predefined service objects. When creating a new service object, you can also include (reference to) other service objects that are already configured.
Create a Service Object
- Go to CONFIGURATION > Configuration Tree > Box > Assigned Services > Firewall > Forwarding Rules.
- In the left menu, click on Services.
- Click Lock.
- Right-click the table and select New. The Edit/Create Service Object window opens.
- Enter a Name for the service object. E.g.,
POP3 Service
. - If you want to include an already configured service object, select it from the Any drop-down list and click New Reference.
- Click New Object. The Service Entry Parameters window opens.
From the IP Protocol list, select the required protocol. E.g., 006 TCP
- In the Port Protocol Protection section, select an action from the Action for prohibited Protocols list.
- Click OK
- Click Send Changes and Activate.
You can now apply the service object to your access rules.
Apply a Service Object to an Access Rule
- Go to CONFIGURATION > Configuration Tree > Box > Assigned Services > Firewall > Forwarding Rules.
- In the left menu, click on Access Rules.
- Click Lock.
- Double-click the number of the rule you want to apply the service object to, or right-click it and select Edit Rule. (You can also create a new rule.)
- In the Edit Rule window, select the Object Viewer check box.
- In the Object Viewer window that appears, open the Services tab, and drag the service object to the Service table in the Edit Rule window.
- Finish your rule configuration.
Service Object Settings
TCP & UDP
- Port Range – Port or port range the service is running on.
- Dyn. Service – This parameter is required in conjunction with ONCRPC.
Service Label – Here you may enter certain labels. If left empty, well-known service names (available in
/etc/services
) are used.Client Port Used – The port range the firewall uses for the connection. This port range is only used if a dynamic port allocation is required, e.g., as in the 'proxy dynamic' connection type. If you want to enter a custom port range, select Manual Entry and enter the first port in the From field and the last port in the To field. This parameter is not evaluated when the firewall services checks if the rule matches.
ICMP Echo
- Max Ping Size – The maximum size allowed for the ping packet.
Min Delay – The minimum allowed delay for pinging. The 'FW Flood Ping Protection Activated [4002]' event is generated if this limit is not met.
General
Session Timeout – Time in seconds that a session can remain idle until it is terminated by the firewall (default values: TCP: 86400; UDP: 60; ICMP: 20; all other protocols: 120). This timeout is applied to all TCP connections by counting the time that has passed in a session since the last traffic transmission. Similarly, it applies an initial timeout to all stateless protocols counting the time until the source has answered the initial datagram. When the datagram is answered, the Balanced Timeout setting comes into effect.
Balanced Timeout – The time in seconds that a session-like connection established through a non-connection oriented protocol (all protocols except TCP) can remain idle until it is terminated by the firewall (default values: UDP: 30; ICMP: 10; all other protocols: 120). The balanced timeout comes into effect after the initial datagram sent by the source has been answered and the "session" has been established. Generally, the balanced timeout should be shorter than the session timeout because it is otherwise overridden by the session timeout and never comes into effect. The balanced timeout allows for keeping non-connection oriented "sessions" short and minimizing the amount of concurrent sessions. The larger initial session timeout guarantees that late replies to initial datagrams are not inevitably dropped.
- Plugin – The name and parameters of any plugins that you might be required for this object. For more information, see Firewall Plugin Modules.
Port Protocol Protection
- Action for prohibited Protocols – From this list, select an action that should be taken if prohibited protocols are detected. For more information, see How to Configure Port Protocol Protection.
- Detection Policy – From this list, select the policy to be applied. For more information, see How to Configure Port Protocol Protection.