The Barracuda NextGen Firewall F-Series system basically consists of three parts. The following table provides a general overview of the Barracuda NextGen Firewall F-Series OS Linux system and its licensing concepts:
Standard Linux system with the modified NGFW OS kernel. Kernel sources are a part of the distribution.
Except for the Firewall engine, mostly under GPL or other Open Source Licenses.
Barracuda NextGen networking
Handles all steps dealing with networking.
Barracuda Networks Public License. Can be used freely for all purposes except commercial redistribution.
Barracuda NextGen operative
Operative Barracuda Networks Software; consists of box services (logging, statistics, control) and server (for example VPN, mail gateway, DNS, …)
Proprietary Barracuda Networks License.
In this article:
The Barracuda NextGen Firewall F-Series OS networking layer is installed by the phionetc_box package. It is called phionetc_box because almost all relevant files live in the directory /etc/phion. The main purpose of the package is to control every part of the system that communicates over the network. In addition to the Barracuda NextGen Firewall F-Series software modules, there are other packages like openssh or ntp that get their configuration and are started by specific scripts.
There are three configuration files steering and controlling the networking behavior of the system:
The options file is the only one that is not edited through the Barracuda NextGen Admin GUI. Template of the options file:
####### ## Systemwide options ## File is sourced by several start scripts ## # start networking at all? BOX_NETWORK="Y" # Number of retries to bring up all devices, sometimes useful for token ring devices NET_RETRY=0 # should the NGFW Subsystem be started ? PHION_START="Y" #for some historical reason: should the NetDB subsystem be started? #CAUTION: Activate only if you know very well what you are doing. NETDB_START="N" # for advanced Servers START_ORA="N" #Y/N start ORACLE on BOOT START_ADABAS="N" #Y/N start ADABAS on BOOT
- BOX_NETWORK – Do not change. If you do set it to N, the Barracuda NextGen networking and the services depending on it will not start. The Barracuda NextGen Firewall F-Series will not be functional if this option is set.
- NET_RETRY – Number of retries to establish a network link.
- PHION_START – If set to N, the Barracuda NextGen Firewall F-Series OS operative layer will not be started at all. The Barracuda NextGen Firewall F-Series will not be functional if this option is set to N.
- NETDB_START – Only of use if you have a legacy unit with a NetDB database system on it.
- START_ORA and START_ADABAS – Only of use for a Master configuration server with an Oracle or ADABAS D database.
The boxadm.conf file holds all information that does not need a network restart to be activated. In addition, it also holds information for Barracuda NextGen Firewall F-Series box services. An example of an operative configuration file:
ACLLIST = 10.0.0.8/29 10.0.0.231 ACTBOXSERVICES = y DNSSERVER = 10.1.103.179 10.1.100.204 DOMAIN = m086 ENABLESHOSTS = y MAINADMIN = n MASTER = 10.1.17.42 RID = 86 RMASTER = 10.1.17.42 RPASSWD = $1$someMD5encryption SPASSWD = $1$someMD5encryption STARTNTP = y STATISTICS = y SYNC = y TMASTER = 10.1.16.21 TZONE = Europe/Vienna UTC = y [boxtuning] FILEMAX = 32768 IDETUNING = y INODEMAX = 65536 SYSTUNING = n
For an explanation of the parameters, see How to Configure Advanced Barracuda OS System Settings.
boxnet.conf file holds all information that deals with network connections. These are the hostname and the network interfaces, IP addresses and routing information. Again, let us have a look on a sample file:
HOSTNAME = sega [addnet_dmz] BIND = n CRIT = y DEV = eth1 IP = 192.168.32.1 IPCHAINS = y MASK = 8 PING = y [addroute_default ] DEST = 22.214.171.124 DEV = FOREIGN = y MASK = 32 PREF = REACHIP = SRC = TARGET = 0.0.0.0 TYPE = gw [addroute_QA] DEST = 10.0.0.244 DEV = eth0 FOREIGN = y MASK = 8 SRC = 10.0.0.8 TARGET = 192.168.10.0 TYPE = gw [boxnet] DEV = eth0 IP = 10.0.0.8 MASK = 8 [cards_eepro] MOD = eepro100.o MODOPTIONS = NUM = 1 TYPE = eth [cards_realtek] MOD = rtl18139.o MODOPTIONS =
There are two scripts that are intended to be started from the command line:
/etc/rc.d/init.d/phion(which is actually a link to
All other scripts should not be started on the command line but are invoked by the 2 scripts above. For more information, see: .
The whole operative date resides in
The full configuration of a Barracuda NextGen Firewall F-Series box is held under /opt/phion/config/active. The configuration files may be modified manually by a Barracuda Networks support engineer or by a specially trained system engineer. If you are not absolutely sure about what you are doing, do not change anything here.
Log files and statistics data reside in /var/phion. This directory has the following substructure:
/var/phion/logs –All log files are stored here. You can read it with any editor.
/var/phion/stat –Root directory for the statistics data structure. The data files are Berkeley DB files in binary form. They can be viewed with the showstat utility (/opt/phion/bin/).
/var/phion/logcache –Home of the Log Access Files (*.laf). These are Berkeley DB files for fast access to large log files.
/var/phion/run/<module>– Services may store operational data in these directories.
Intervention on command line is generally not intended on the NGFW OS operative layer. Nevertheless, there is one powerful tool to steer the processes. It can be used to gather comprehensive information about system state, routing, servers, processes. Furthermore, it can start / stop / block / disable servers and box processes. It is called phionctrl and resides in /opt/phion/bin. For more information, see the user documentation .
The following table enlists the ports of a Barracuda NextGen F-Series Firewall / Control Center that are required for communication:
|691 and 443||TCP/UDP||service|
FW-audit (Firewall Audit Viewer)
firewall (Firewall Service)
controld/status (Control Status)
qstatd (Statistics Viewer)
|808||TCP/UDP||box||event (Event Viewer)|
boxconfig (Configuration Service)
masterconfig (Master Configuration Service)
map/status (Status Map)
vpnserver (VPN Service, Master VPN Service)
mailgw (Mail Gateway Service)
HTTPs Proxy GUI
policyserver (Policy Service, Master Policy Service)
HTTP Proxy Fail-Cache
44000 and 44001