It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda CloudGen Firewall

Default Host Firewall Rules

  • Last updated on

The Host Firewall rule set contains default rules that fit most applications and services that are handled by the Barracuda CloudGen Firewall. The following tables list all Host Firewall rules that are preconfigured.

Default Host Rules of the Barracuda CloudGen Firewall

The default Host Firewall rule set of the Barracuda CloudGen Firewall is divided into the following tabs:

  • Inbound – Displays all inbound Host Firewall rules.
  • Inbound-User – (Bound to the Inbound set) Shows a subset of inbound Host Firewall rules.
  • Outbound – Displays all outbound Host Firewall rules.
  • Outbound-User tab – (Bound to the Outbound set) Shows an subset of outbound Host Firewall rules.
Host Firewall Rules - Inbound
#Default StateNameComment
0EnabledNO-ACCESSBlocks external access to local IP used for local redirection in forwarding ruleset.
1EnabledMGMT-ACCESS-SAllows management access via serial line, i.e., device=ppp0
2EnabledMGMT-ACCESS-CCAllows management access from the CC IPs.
3EnabledMGMT-ACCESS-CC-LICAllows management access from the CC IPs.
4EnabledHA-S-STATUSAllows ICMP based HA-probing of server IPs.
5EnabledHA-B-STATUSAllows control-control HA status check communication.
6EnabledHA-CONFAllows configuration sync between HA partners (dedicated HA).
7EnabledHA-SYNCAllows sync of optional services between HA partners.
8EnabledMGMT-ACCESS-RAllows exclusive management access for addresses within the ACL.
9EnabledMGMT-ACCESS-RESTAllows exclusive management access for addresses within the ACL.
10EnabledMGMT-ACCESS-WEBUIAllows exclusive management access for addresses within the ACL.
11EnabledMGMT-ACCESSAllows exclusive management access for addresses within the ACL.
12EnabledBOX-MGMT-SNMPAllows exclusive SNMP access for addresses within the ACL.
13EnabledLL-IP-TUNNELSAllows low level IPIP and GRE tunnels between tunnel endpoints.
14EnabledOP-SRV-L2TPBlocks direct external access to the L2TP daemon. L2TP/IPSEC is not affected.
15EnabledOP-SRV-VIRSCANAllows global access to optional Virus Scanner Service.
16EnabledOP-SRV-VPNAllows global access to optional VPN service incl. PPTP variant.
17EnabledOP-SRV-DHCPAllows global access to optional DHCP server service.
18EnabledOP-SRV-DNSAllows global TCP/UDP access to optional DNS service.
19EnabledOP-SRV-OSPFAllows global access to OSPF for the optional OSPF-RIP-BGP service.
20EnabledOP-SRV-RIPAllows global access to RIP for the optional OSPF-RIP-BGP service.
21EnabledOP-SRV-BGPAllows global access to BGP for the optional OSPF-RIP-BGP service.
22EnabledOP-SRV-SIPAllows global access to optional SIP proxy service.
23EnabledOP-SRV-SAPRTAllows global access to optional SAP-Router gateway service.
24EnabledOP-SRV-SNMPAllows global access to optional SNMP gateway service.
25EnabledOP-SRV-PXAllows global access to optional HTTP/S proxy service.
26EnabledOP-SRV-NTPAllows exclusive access to optional local NTP service from local networks.
27EnabledOP-SRV-ICMPAllows ICMP ECHO requests to Server IPs.
28EnabledBOX-ICMP-PINGAllows ICMP ECHO requests local box addresses.
29EnabledBOX-PPTP-INAllows box communication with ADSL/PPTP modem.
30EnabledBOX-DHCP-INAllows exclusive access to optional DHCP client service (device=dhcp).
31EnabledBOX-AUTH-MSAD-SYNC-INAllows access to configured MSAD user authentication sync type servers. Requires installation of DCAgent on specified MSAD servers. 
32EnabledBOX-AUTH-TSAGENT-SYNC-INAllows access to configured TSAgent sync type servers. Requires installation of TSAgent on specified terminal servers.
33EnabledBOX-AUTH-WIFIAP-SYNC-INAllows access to configured Wi-Fi Access Point authentication sync type servers.

The Barracuda Firewall Control Center box provides the following additonal default rules:

#NameComment
2HA-CONF-CCAllows configuration sync between HA partners (dedicated HA)
6CC-ACCESSAllows access to CC services hosted by this box.
10OP-SRV-CCAllows for event and status delivery by managed boxes to CC services.
11OP-SRV-AUDITAllows for audit data delivery by managed boxes to CC Audit service.
12OP-SRV-PKIAllows access to PKI service hosted by this box.
13OP-SRV-VPNManagement tunnel (transport) acces to CC VPN server.
14OP-SRV-DNSAllows for queries of optional local DNS service.
15OP-SRV-SYSLOG-SSLAllows for secure and authenticated delivery of syslog from managed boxes via VPN tunnel.
16OP-SRV-SYSLOGAllows for secure and authenticated delivery of syslog from managed boxes via VPN tunnel.
Host Firewall Rules - Inbound-User
#NameComment
0PASSALLA catch-all rule to warrant free traffic flow. Adapt this to your needs.
Host Firewall Rules - Outbound
#Default StateNameComment
0EnabledOP-SRV-CLOUD-NTPAllows NTP queries for cloud-based boxes.
1EnabledBOX-MGMT-CLOUD-CCAllows traffic from cloud-based boxes to CC.
2EnabledNO-ACCESSBlock direct outbound access from unrouted loopback networks.
3EnabledHA-B-STATUSAllows control-control HA status check communication.
4EnabledHA-S-STATUSAllows ICMP based HA-probing of server IPs.
5EnabledHA-CONFAllows configuration sync between HA partners (dedicated HA).
6EnabledHA-SYNCAllows sync of optional services between HA partners.
7EnabledLL-IP-TUNNELSAllows low level IPIP and GRE tunnels between tunnel endpoints.
8DisabledBOX-DNS-MGMT-NATRoutes connections to the static configured DNS-servers via management tunnel. The explicit connection via interface tap3 routes DNS-requests to the static configured DNS-servers through the management tunnel. It is only useful if the box is using remote management to the MC.
9EnabledBOX-DNSFWD-OUTAllows local DNS queries to configured DNS servers and root DNS servers.
10EnabledBOX-DNSSLV-OUTAllows zone transfers initiated by local box DNS secondary server.
11EnabledBOX-DNSREC-OUTAllows recursive local DNS queries.
12EnabledBOX-NTP-OUT-TAllows NTP queries via box managent tunnel to CC.
13EnabledBOX-NTP-OUTAllows NTP queries to configured NTP servers.
14EnabledOP-SRV-VPNAllows global access for optional VPN service.
15EnabledOP-SRV-DNSAllows global access for optional DNS service.
16EnabledOP-SRV-OSPFAllows outgoing access for OSPF in an optional dyn. routing service.
17EnabledOP-SRV-RIPAllows outgoing access for RIP in an optional dyn. routing service.
18EnabledOP-SRV-BGPAllows outgoing access for BGP in an optional dyn. routing service.
19EnabledBOX-SYSLOG-AUDIT-OUTAllows delivery of logfiles or audit data to CC.
20EnabledBOX-EVENT-OUTAllows event notification delivery to CC.
21EnabledBOX-STATUS-CCAllows status notification delivery to CC.
22EnabledBOX-CONFIG-CCAllows config update delivery to CC.
23EnabledBOX-SYNC-CCAllows sync to CC.
24EnabledBOX-GW-TESTAllows ICMP gateway probing.
25EnabledBOX-MONIP-TESTAllows ICMP monitoring IP probing.
26EnabledBOX-UMTS-TESTAllows ICMP probing of Wireless WAN gateway and monitoring IPs.
27EnabledBOX-xDSL-TESTAllows ICMP probing of ADSL link gateway and monitoring IPs.
28EnabledBOX-ISDN-TESTAllows ICMP probing of ISDN link gateway and monitoring IPs.
29EnabledBOX-DHCP-OUTAllows broadcasts from local DHCP client service.
30EnabledBOX-DHCP-TESTAllows ICMP probing of DHCP link gateway and monitoring IPs.
31EnabledBOX-RAM-TESTAllows ICMP probing of box management tunnel monitoring IPs incl.
32EnabledBOX-RAM-OUTAllows ICMP probing of box management tunnel gateways (points of entry).
33EnabledBOX-PPTP-OUTAllows box communication with ADSL/PPTP modem.
34DisabledBOX-AUTH-MGMT-NATRoutes connections to the authentication servers via management tunnel. The explicit connection via interface tap3 routes authentication requests to the backend servers through the management tunnel. It is only useful if the box is using remote management to the MC.
35EnabledBOX-AUTH-MSADAllows access to configured MSAD type authentication servers.
36EnabledBOX-AUTH-MSNTAllows access to configured MSNT type authentication servers.
37EnabledBOX-AUTH-RADIUSAllows access to configured RADIUS type authentication servers.
38EnabledBOX-AUTH-LDAPAllows access to configured LDAP, MSADIR type authentication servers.
39EnabledBOX-AUTH-MSAD-SYNCAllows access to configured MSAD user authentication sync type servers. Requires installation of DCAgent on specified MSAD servers.
40EnabledBOX-AUTH-RSAAllows access to configured RSA-SecurID type authentication servers.
41EnabledBOX-AUTH-TACACSAllows access to configured TACACS+ type authentication servers.
42EnabledBOX-AUTH-WSGAllows access to configured Web Security Gateway type authentication servers.
43EnabledBOX-BRS-REPORTINGSERVER-MGMT-NATAllows access to configured Web Security Gateway type authentication servers.
44EnabledBOX-BRS-REPORTINGSERVERLog streaming to the Barracuda Reporting Server.

The Barracuda Firewall Control Center box provides the following additonal default rules:

#NameComment
5HA-SYSLOGAllows for HA sync of optional central syslog service.
7BOX-DNS-OUTAllows for DNS requests from local box.
17OP-SRV-DNSAllows global access for optional DNS service.
18OP-SRV-CCAllows for autonomous CC services access to managed boxes.
19OP-SRV-CC-RAllows for autonomous CC services access (license) to managed boxes.
Host Firewall Rules - Inbound/Outbound-User
#NameComment
0PASSALLA catch-all rule to warrant free traffic flow. Adapt this to your needs.