We use cookies on our website to ensure we provide you with the best experience on our website. By using our website, you agree to the use of cookies for analytics and personalized content.This website uses cookies. More Information
It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda CloudGen Firewall

This Firmware Version Is End-Of-Support

Documentation for this product is no longer updated. Please see End-of-Support for CloudGen Firewall Firmware for further information on our EoS policy.

Best Practice - Core System Configuration Files

  • Last updated on

The underlying Linux system is designed to serve as a basis for the Barracuda NextGen Firewall F-Series. Direct interfering on the command line is not necessary for normal operation. Such operations should be carried out only by authorized personnel with excellent knowledge of Linux systems and its special Barracuda Networks implementation.

The Barracuda NextGen Firewall F-Series system basically consists of three parts. The following table provides a general overview of the Barracuda NextGen Firewall F-Series OS Linux system and its licensing concepts:

LayerDescriptionLicensing
Basic Linux

Standard Linux system with the modified NGFW OS kernel. Kernel sources are a part of the distribution.

Except for the Firewall engine, mostly under GPL or other Open Source Licenses.

Barracuda NextGen networking

Handles all steps dealing with networking.

Barracuda Networks Public License. Can be used freely for all purposes except commercial redistribution.

Barracuda NextGen operative

Operative Barracuda Networks Software; consists of box services (logging, statistics, control) and server (for example VPN, mail gateway, DNS, …)

Proprietary Barracuda Networks License.

In this article:

Networking Layer

The Barracuda NextGen Firewall F-Series OS networking layer is installed by the phionetc_box package. It is called phionetc_box because almost all relevant files live in the directory /etc/phion. The main purpose of the package is to control every part of the system that communicates over the network. In addition to the Barracuda NextGen Firewall F-Series software modules, there are other packages like openssh or ntp that get their configuration and are started by specific scripts.

Configuration Files

There are three configuration files steering and controlling the networking behavior of the system: 

  • /etc/phion/options
  • /etc/phion/boxadm.conf
  • /etc/phion/boxnet.conf 

The options file is the only one that is not edited through the Barracuda NextGen Admin GUI. Template of the options file:

 

####### ## Systemwide options ## File is sourced by several start scripts ## # start networking at all? BOX_NETWORK="Y" # Number of retries to bring up all devices, sometimes useful for token ring devices NET_RETRY=0 # should the NGFW Subsystem be started ? PHION_START="Y" #for some historical reason: should the NetDB subsystem be started? #CAUTION: Activate only if you know very well what you are doing. NETDB_START="N" # for advanced Servers START_ORA="N" #Y/N start ORACLE on BOOT START_ADABAS="N" #Y/N start ADABAS on BOOT
  • BOX_NETWORK – Do not change. If you do set it to N, the Barracuda NextGen networking and the services depending on it will not start. The Barracuda NextGen Firewall F-Series will not be functional if this option is set.
  • NET_RETRY – Number of retries to establish a network link. 
  • PHION_START – If set to N, the Barracuda NextGen Firewall F-Series OS operative layer will not be started at all. The Barracuda NextGen Firewall F-Series will not be functional if this option is set to N.
  • NETDB_START – Only of use if you have a legacy unit with a NetDB database system on it.
  • START_ORA and START_ADABAS – Only of use for a Master configuration server with an Oracle or ADABAS D database. 

The boxadm.conf file holds all information that does not need a network restart to be activated. In addition, it also holds information for Barracuda NextGen Firewall F-Series box services. An example of an operative configuration file:

ACLLIST[] = 10.0.0.8/29 10.0.0.231 ACTBOXSERVICES = y DNSSERVER[] = 10.1.103.179 10.1.100.204 DOMAIN = m086 ENABLESHOSTS = y MAINADMIN = n MASTER[] = 10.1.17.42 RID = 86 RMASTER[] = 10.1.17.42 RPASSWD = $1$someMD5encryption SPASSWD = $1$someMD5encryption STARTNTP = y STATISTICS = y SYNC = y TMASTER[] = 10.1.16.21 TZONE = Europe/Vienna UTC = y [boxtuning] FILEMAX = 32768 IDETUNING = y INODEMAX = 65536 SYSTUNING = n

For an explanation of the parameters, see How to Configure Advanced Barracuda OS System Settings.

Be extremely cautious when changing these files on the command line.

The boxnet.conf file holds all information that deals with network connections. These are the hostname and the network interfaces, IP addresses and routing information. Again, let us have a look on a sample file:

HOSTNAME = sega [addnet_dmz] BIND = n CRIT = y DEV = eth1 IP = 192.168.32.1 IPCHAINS = y MASK = 8 PING = y [addroute_default ] DEST = 195.23.11.6 DEV = FOREIGN = y MASK = 32 PREF = REACHIP[] = SRC = TARGET = 0.0.0.0 TYPE = gw [addroute_QA] DEST = 10.0.0.244 DEV = eth0 FOREIGN = y MASK = 8 SRC = 10.0.0.8 TARGET = 192.168.10.0 TYPE = gw [boxnet] DEV = eth0 IP = 10.0.0.8 MASK = 8 [cards_eepro] MOD = eepro100.o MODOPTIONS[] = NUM = 1 TYPE = eth [cards_realtek] MOD = rtl18139.o MODOPTIONS[] =
For an explanation of the parameters, see How to Configure Advanced Barracuda OS System Settings.
Activation Scripts

There are two scripts that are intended to be started from the command line: 

  • /etc/rc.d/init.d/phion (which is actually a link to /etc/phion/rc.d/phionrc).
  • /etc/phion/bin/activate 

All other scripts should not be started on the command line but are invoked by the 2 scripts above. For more information, see: .

Operative Layer

Static Data

The whole operative date resides in /opt/phion

It is not recommended to change anything below this directory.

The full configuration of a Barracuda NextGen Firewall F-Series box is held under /opt/phion/config/active. The configuration files may be modified manually by a Barracuda Networks support engineer or by a specially trained system engineer. If you are not absolutely sure about what you are doing, do not change anything here.

Dynamic Data

Log files and statistics data reside in /var/phion. This directory has the following substructure: 

  • /var/phion/logs All log files are stored here. You can read it with any editor.

    DO NOT write to it, DO NOT rename it, DO NOT put any files in here. Any manual action can result in strange behavior of the log interface.

  • /var/phion/stat – Root directory for the statistics data structure. The data files are Berkeley DB files in binary form. They can be viewed with the showstat utility (/opt/phion/bin/).

    Again: Do NOT change anything in this directory manually.

  • /var/phion/logcache – Home of the Log Access Files (*.laf). These are Berkeley DB files for fast access to large log files.

  • /var/phion/run/<module> – Services may store operational data in these directories.

Intervention on command line is generally not intended on the NGFW OS operative layer. Nevertheless, there is one powerful tool to steer the processes. It can be used to gather comprehensive information about system state, routing, servers, processes. Furthermore, it can start / stop / block / disable servers and box processes. It is called phionctrl and resides in /opt/phion/bin. For more information, see the user documentation .

Ports Overview

The following table enlists the ports of a Barracuda NextGen F-Series Firewall / Control Center that are required for communication:

PortProtocolTypeDaemon
22TCPservicesshd (SSH)
691 and 443TCP/UDPservice

vpn

680TCPservice

FW-audit (Firewall Audit Viewer)

688TCPservice

firewall (Firewall Service)

689UDPbox

controld/HA-Sync

692TCP/UDPVPN

management tunnel

801TCPbox 

controld/status (Control Status)

801UDPbox 

controld/ HA-heartbeat

802TCPbox 

phibsd

803TCPbox 

logd (Log-Viewer)

805TCPbox 

distd

806TCPservice

qstatd (Statistics Viewer)

807TCPbox 

qstatd

807UDPbox 

cstatd

808TCP/UDPbox event (Event Viewer)
808TCP/UDPservice

event

809TCPbox

boxconfig (Configuration Service)

810TCPservice

masterconfig (Master Configuration Service)

811TCPservice

map/status (Status Map)

814TCPservice

vpnserver (VPN Service, Master VPN Service)

815TCPservice

mailgw (Mail Gateway Service)

816TCPservice

DHCP

817UDPservicetrans7
818TCPservicePKI
843TCPservice

HTTPs Proxy GUI

844TCPservice

policyserver (Policy Service, Master Policy Service)

845TCPbox

distd

880TCPservice

HTTP Proxy Fail-Cache

44000 and 44001

TCPservice

policyserver

Last updated on