We use cookies on our website to ensure we provide you with the best experience on our website. By using our website, you agree to the use of cookies for analytics and personalized content.This website uses cookies. More Information
It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda Network Access Client

Personal Firewall Default Rules and Components

  • Last updated on

The Barracuda Personal Firewall comes with a default access ruleset. The following tables aim to give you a compact overview of the default rules and their functions.

Rule Categories

The default rules are split into the following rule categories:

Main CategorySub Category Level #1Sub Category Level #2
LockdownBlock all outbound and inbound traffic
Mixed (default)


Allow outbound and inboundCore network
Barracuda VPN Allow Outbound and Inbound (Only on Adapter [TRUSTED])

Network Discovery

Ipv6 Tunnel

File and Printer Sharing (only on MY Net)

WLAN





Allow outbound and inboundCore network
Allow outbound

Barracuda VPN
IPv6 tunnel
File and printer sharing (only on my net)
Block inboundNetwork discovery
File and printer sharing
Block outboundNetwork discovery
Domain




Allow outbound and inbound
Barracuda VPN
Network discovery
Core network
IPv6 tunnel
File and printer sharing (only on my net)

Adapters

The following tables show the adapter denominations used and what they mean.

DYNAMIC

NameDescription
All System Adapters

Examples:

  • VPN Network
  • Wireless Network Connection
  • Local Area Connection
  • Mobile Broadband Connection
  • Reusable Microsoft 6To4 Adapter
  • Teredo Tunneling pseudo interface

DYNAMIC [isatap]

NameDescription

Intra-Site Automatic Tunneling Addressing Protocol

ISATAP uses IPv4 as a virtual nonbroadcast multiple-access network (NBMA) data link layer, so that it does not require the underlying IPv4 network infrastructure to support multicast.

Example:
isatap.{09D450D7-FDBA-4B29-8165-5ED2EAB69606}

DYNAMIC [multi]

NameDescription
Adapter [TRUSTED]

All trusted adapters:

  • Ips: mc (managed by CC)
  • Barracuda VPN Adapter
  • Ethernet Adapter
  • Ask User and click “trusted”
Adapter [TUNNEL]All OS tunneling adapters
Adapter [Dial-up]Dial-up adapter, e.g. a modem
Adapter [Ethernet]Ethernet based adapters
Adapter [PolSrv]Adapter that was used for the last Access Control Service connection
Adapter [UNTRUSTED]

All untrusted adapters:

  • Wireless adapter
  • Dial-up adapter
Adapter [Virtual]Virtual adapters
Adapter [VPN]Barracuda virtual adapter
Adapter [Wireless]Wireless adapters

Networks

The following tables show the network denominations used and what they mean.

DYNAMIC

NameDescription
Any
::/0, 0.0.0.0
localIPAll local IP addresses
localPolicyIPLocal IP connect to Access Control Service
localTrustedIPAll local IP addresses from trusted adapters

Net-Personal

VPN

All Barracuda client secure personal routes
TrustedNetSecure zone
UntrustedNetInsecure zone
virtualIPAll Barracuda VPN IP addresses

DYNAMIC [net]

NameDescription
Link-local
::fe80::/64

Secure Link-local Zone

Link-Local Scope Multicast Addresses
ff02::1, ff02::2, ff02::16, ff02::1:3
Ref: Solicited-Node Multicast Addresses
Net-Broadcast
255.255.255.255

All Broadcast

Node-Local Scope Multicast Addresses
ff01::2, ff01::1
Simple Service Discovery Protocol
ff0e::8, ff05::8, ff05::c, ff02::c, 239.255.255.250

Well-known practical multicast addresses for SSDP

 

Site-Local Scope Multicast Addresses
ff05::1:3, ff05::2

Solicited-Node Multicast Addresses

The solicited-node multicast address facilitates the efficient querying of network nodes during address resolution

Net-[Adapter Name] 

LOCAL

NameDescription
LLMRN 
MY Net
Ref: TrustedNet

My private trusted network

SSDP
Ref: Simple Service Discovery Protocol
Ref: MY Net

Services

This table shows the services you can choose from, as well as their protocols, default ports, and function.

NamePortDescription
Barracuda VPN
  • 691 TCP & UDP
  • 443 TCP-IPHTTPS
  • 3128 TCP - Squid Proxy
  • 8080 TCP - MS Proxy
  • 500 UDP - IPsec
  • 53 UDP - DNS
Barracuda VPN Tunnel
BOOTPS
  • 67 Bootstrap Protocol Client
  • 68 Bootstrap Protocol Server
Bootstrap Protocol
CIFS
  • 445 UDP
  • 445 TCP
Microsoft Windows 2000 SMB
DHCPv6
  • 546 UDP-DHCPv6 Client
  • 547 UDP-DHCPv6 Server
DHCPv6 [RFC 3315]
DNS
  • 53 UDP
Domain Name resolution
ICMP Echo
  • ICMP 0 (Echo reply)
  • ICMP 8 (Echo request)
  • ICMPv6 128 (Echo request [RFC 4443])
  • ICMPv6 129 (Echo reply [RFC 4443])
ipv6 and ipv4 Echo reply and request

ICMPv6 Multicast Listener Discovery

  • 130 Multicast Listener Query [RFC 2710]
  • 131 Multicast Listener Report [RFC 2710]
  • 132 Multicast Listener Done [RFC 2710]
  • 143 Version 2 Multicast Listener Report [RFC 3810]
 
ICMPv6 Neighbor Discovery
  • 133 Router Solicitation [RFC 4861]
  • 135 Neighbor Solicitation [RFC 4861]
  • 136 Neighbor Advertisement [RFC 4861]
  • 137 Redirect Message [RFC 4861]
 
ICMPv6 Router Advertisement134 ICMPv6Router Advertisement [RFC 4861]
IGMPProtocol 2Internet Group Message Protocol
IPv6 over IPv4Protocol 41IPv6 over IPv4
IPv6-noNxtProtocol 59IPv6 No Next Header
LLMNR5355 UDPLink-Local Multicast, allows hosts to perform name resolution for host on the same local link
NETBIOS-DBM
  • 138 UDP
  • 138 TCP
NETBIOS Datagram Service
NETBIOS-NS
  • 137 UDP
  • 137 TCP
NETBIOS Name Service
NETBIOS-SSN
  • 139 UDP
  • 139 TCP
NETBIOS Session Service
POLSRV44000 TCPBarracuda CloudGen Network Access Control Service
SSDP
  • 1900 UDP Simple Service Discovery Protocol
  • 2869 TCP SSDP event notification
  • 5000 TCP SSDP legacy event notification
Simple Service Discovery Protocol. Enables discovery of UPnP devices
WEB

80, 8080, 3128 TCP

Ref: IPHTTPS (443 TCP)

 
WS-Discovery3702 TCP & UDPWeb Services Dynamic Discovery is a technical specification that defines a multicast discovery protocol to locate services on a local network.

Applications

This table shows the applications known by default to the Barracuda Personal Firewall.

Name*.*Description
EXPLORER

explorer.exe

Windows Explorer
LSASS
  • LSASS.EXE (Local Security Authority Process)
  • TASKHOST.EXE (Host Process for Windows Tasks)
 
POLSRVphionha.exeBarracuda CloudGen Health Agent
SSDP
  • SVCHOST.EXE
  • WMPNETWK.EXE (Windows Media Player)
Network-Discovery
SVCHOSTSVCHOST.EXEHost Process for Windows Services

Personal Firewall Default Rules

The following tables provide an overview of the default rules and their functions.

Changes in sections other than Local may impact the functionality of the OS.

Barracuda VPN

The rules in this section are used for VPN server connections and for filtering content within tunnels.

Outbound

Tunnel  Outbound Barracuda VPN Tunnel

Adapter 
SourcelocalIP
DestinationAny
ServiceBarracuda VPN
ApplicationBARRACUDA VPN (phions.exe)
Settings

Core Network > Barracuda VPN

  • Yes (default)
  • No

Payload – Outbound Barracuda VPN Payload

AdapterAdapter [VPN]
Source 
Destination*
ServiceAny
ApplicationAny
Settings

Core Network > Barracuda VPN

  • Yes (default)
  • No

* Possible Network objects to restrict the traffic:

  • Net-Personal VPN: All Barracuda Client Secure Routes
  • Net-VPN Network: Dynamic Virtual Dapter Object
Network Discovery

These rules are used to allow or restrict device, service, or machine discovery functionalities on the network.

Outbound

Network Discovery (WSD) – Outbound rule for Network Discovery to discover devices via Function Discovery

AdapterAdapter [TRUSTED]
SourceAny
DestinationAny
ServiceWS-Discovery
ApplicationSVCHOST

Network Discovery (LLMNR) – Outbound rule for Network Discovery to allow Link Local Multicast Name Resolution

Adapter

Adapter [TRUSTED]
BLOCK on Mismatch

SourcelocalIP
DestinationLLMNR
ServiceLLMNR
ApplicationSVCHOST

Network Discovery (SSDP) – Outbound rule for Network Discovery to allow use of the Simple Service Discovery Protocol

Adapter

Adapter [TRUSTED]
BLOCK on Mismatch

SourceAny
DestinationSSDP
ServiceSSDP
ApplicationSSDP

Inbound

Network Discovery (LLMNR) – Inbound rule for Network Discovery to allow Link Local Multicast Name Resolution

AdapterAdapter [TRUSTED]
BLOCK on Mismatch
SourceLLMNR
DestinationLLMNR
ServiceLLMNR
ApplicationSVCHOST

Network Discovery (WSD) – Inbound rule for Network Discovery to discover devices via Function Discovery

AdapterAdapter [TRUSTED]
BLOCK on Mismatch
SourceAny
DestinationAny
ServiceWS-Discovery
ApplicationSVCHOST

Network Discovery (SSDP) – Outbound rule for Network Discovery to allow use of the Simple Service Discovery Protocol

AdapterAdapter [TRUSTED]
BLOCK on Mismatch
SourceAny
DestinationSSDP
ServiceSSDP
ApplicationSSDP
Core Network

These rules are for managing the core network. They abstract the most common protocols and functionalities, such as address assignment, group policy assignment, address lookup, and IPv6 auto-configuration as well as operating system and certificate updates. Also included is a rule to allow or restrict the system’s access to the Barracuda Access Control Server.

Outbound

Core Network - Dynamic Host Configuration – Allows DHCP messages for stateful auto-configuration

Adapter 
Source0.0.0.0/0
Destination0.0.0.0/0
ServiceBOOTPS
ApplicationAny

Core Network - Dynamic Host Configuration for IPv6 – Allows DHCPv6 messages for stateful and stateless configuration

Adapter 
SourceAny
DestinationAny
ServiceDHCPv6
ApplicationAny

Core Network - Router Advertisement Guard – Router Advertisement (RA) messages are used by routers to announce themselves on the link. The IPv6 Router Advertisement Guard can analyze and filter these RA messages.

Adapter 
SourceAny
DestinationAny
ServiceICMPv6 Router Advertisement
ApplicationAny

Core Network - Neighbor Discovery  Neighbor Discovery Solicit and Advertisement messages are sent by nodes to notify other nodes of link-layer address changes or in response to a Neighbor Discovery Solicitation request.

Adapter 
SourceAny
DestinationAny
ServiceICMPv6 Neighbor Discovery
ApplicationICMPv6

Core Network - Multicast Listener Report – The Multicast Listener Report message is used by a listening node to either immediately report its interest in receiving multicast traffic at a specific multicast address or in response to a Multicast Listener Query.

Adapter 
SourceAny
DestinationAny
ServiceICMPv6 Multicast Listener Discovery
ApplicationAny

Core Network - Group Policy – Outbound rule to allow remote LSASS trafic for Group Policy updates

Adapter 
SourceAny
DestinationAny
ServiceAny
ApplicationLSASS

Core Network - IPv6 No Next Header – The Next Header field indicates that there is no next header whatsoever following this one, not even a header of an upper-layer protocol.

Adapter 
SourceAny
DestinationLink-Local Scope Multicast Addresses
ServiceIpv6-NoNxt
Application*

Core Network - DNS – Outbound rule to allow DNS requests. DNS responses based on requests that matched this rule will be permitted regardless of their source address.

Adapter 
SourceAny
DestinationAny
ServiceDNS
ApplicationSVCHOST

Core Network - Internet Group Management Protocol – IGMP messages are sent and received by nodes to create, join, or depart multicast groups.

Adapter 
SourceAny
DestinationAny
ServiceIGMP
Application*

Core Network - Update Service – Outbound rule to allow Windows, certificate, and CRL updates.

Adapter 
SourceAny
DestinationAny
ServiceWEB
ApplicationSVCHOST

Core Network - Group Policy (TCP-Out) – Outbound rule to allow remote RPC traffic for Group Policy updates

AdapterAdapter [TRUSTED]
SourceAny
DestinationAny
ServiceTCP*
ApplicationSVCHOST

Core Network - Group Policy (UDP-Out) – Outbound rule to allow remote PRC traffic for Group Policy updates

AdapterAdapter [TRUSTED]
SourceAny
DestinationAny
ServiceUDP*
ApplicationSVCHOST

Core Network - Explorer – Windows Explorer

Adapter 
SourceAny
DestinationMY Net
ServiceAny
ApplicationEXPLORER

Core Network - Access Control Service – Barracuda CloudGen Network Access Control Service

Adapter 
SourcelocalIP
DestinationAny
ServicePOLSRV
ApplicationPOLSRV

Core Network - Dynamic Host Configuration – Allows DHCP messages for stateful auto-configuration

Adapter 
Source0.0.0.0/0
Destination0.0.0.0/0
ServiceBOOTPS
ApplicationAny

Core Network - Dynamic Host Configuration for IPv6 – Allows DHCPv6 messages for stateful and stateless configuration

Adapter 
SourceAny
DestinationAny
ServiceDHCPv6
ApplicationAny

Core Network - Router Advertisement Guard – Analyzes and filters Router Advertisement messages

Adapter 
SourceAny
DestinationAny
ServiceICMPv6 Router Advertisement
ApplicationAny
Settings

Core Network > IPv6 RA Guard

  • Block all RA (default)
  • Disable
  • IPv6 Prefixes

Core Network - Neighbor Discovery – Neighbor Discovery Solicit and Advertisement messages are sent by nodes to notify other nodes of link-layer address changes or in response to a Neighbor Discovery Solicitation request.

Adapter 
SourceAny
DestinationAny
ServiceICMPv6 Neighbor Discovery
ApplicationICMPv6

Core Network - Multicast Neighbor Discovery – Neighbor Discovery Advertisement messages are sent by nodes to notify other nodes of link-layer address changes or in response to a Neighbor Discovery Solicitation request.

Adapter 
SourceAny
DestinationLink-Local Multicast Addresses
ServiceICMPv6 Neighbor Discovery
ApplicationICMPv6

Core Network - Multicast Listener Report – The Multicast Listener Report message is used by a listening node to either immediately report its interest in receiving multicast traffic at a specific multicast address or in response to a Multicast Listener Query.

Adapter 
SourceAny
DestinationAny
ServiceICMPv6 Multicast Listener Discovery
ApplicationICMPv6

Core Network - Internet Group Management Protocol – IGMP messages are sent and received by nodes to create, join ,or depart multicast groups.

Adapter 
SourceAny
DestinationAny
ServiceIGMP
Application*
Core IPv6 Tunnel

These rules allow management of the tunnel traffic for the two IPv6 tunneling protocols that are active by default, e.g. ,in Windows 7.

Outbound

Core IPv6 Tunnel - Teredo (UDP-Out) – Outbound UDP rule to allow Teredo edge traversal

AdapterAdapter [TUNNEL]
Source0.0.0.0/0
DestinationAny
ServiceUDP *
ApplicationSVCHOST
Settings

Core Network > Teredo Tunnel

  • Yes (default)
  • No

Core IPv6 Tunnel - IPv6 over IPv4  Outbound IPv6 over IPv6 tunneling allows access to the IPv6 Internet in absence of an IPv6 native access provider

Adapter 
SourcelocalIP
DestinationAny
ServiceIPv6 over IPv4
ApplicationAny
Settings

Core Network > IPv6 over IPv4

  • Yes (default)
  • No
File and Printer Sharing

These rules are for managing access to printers, files, and folders shared over the network.

Outbound

File and Printer Sharing - Echo Request – Echo request messages are sent as ping requests to other nodes.

Adapter 
SourcelocalIP
DestinationMY Net
ServiceICMP Echo
Application*
Settings

File and Printer Sharing > Outbound

  • Yes (default)
  • No

File and Printer Sharing - NB-Name-Out  Outbound rule for File and Printer Sharing to allow NetBIOS Name Resolution

AdapterAdapter [TRUSTED]
SourcelocalIP
DestinationMY Net
ServiceNETBIOS-NS
ApplicationSYSTEM
Settings

File and Printer Sharing > Outbound

  • Yes (default)
  • No

File and Printer Sharing - NB-Datagram-Out  Outbound rule for File and Printer Sharing to allow NetBIOS Datagram transmission and reception

AdapterAdapter [TRUSTED]
SourcelocalIP
DestinationMY Net
ServiceNETBIOS-DMB
ApplicationSYSTEM
Settings

File and Printer Sharing > Outbound

  • Yes (default)
  • No

Outbound rule for File and Printer Sharing to allow NetBIOS Session Service connections

AdapterAdapter [TRUSTED]
SourcelocalIP
DestinationMY Net
ServiceNETBIOS-SSN
ApplicationSYSTEM
Settings

File and Printer Sharing > Outbound

  • Yes (default)
  • No

File and Printer Sharing - SMB-Out Outbound rule for File and Printer Sharing to allow Server Message Block transmission and reception via Named Pipes

AdapterAdapter [TRUSTED]
SourceAny
DestinationMY Net
ServiceCIFS
ApplicationSYSTEM
Settings

File and Printer Sharing > Outbound

  • Yes (default)
  • No

File and Printer Sharing - NB-Name-Out Outbound rule for File and Printer Sharing to allow NetBIOS Name Resolution

AdapterAdapter [TRUSTED]
SourcelocalIP
DestinationMY Net
ServiceNETBIOS-NS
ApplicationSYSTEM
Settings

File and Printer Sharing > Outbound

  • Yes (default)
  • No

Inbound

File and Printer Sharing - NB-Datagram-In Outbound rule for File and Printer Sharing to allow NetBIOS Datagram transmission and reception

AdapterAdapter [TRUSTED]
SourceMY Net
DestinationMY Net
ServiceNETBIOS-DGM
ApplicationSYSTEM
Settings

File and Printer Sharing > Inbound

  • Yes (default)
  • No

File and Printer Sharing - NB-Name-In Inbound rule for File and Printer Sharing to allow NetBIOS Name Resolution

AdapterAdapter [TRUSTED]
SourceMY Net
DestinationMY Net
ServiceNETBIOS-NS
ApplicationSYSTEM
Settings

File and Printer Sharing > Inbound

  • Yes (default)
  • No

File and Printer Sharing - NB-Session-In Outbound rule for File and Printer Sharing to allow NetBIOS Session Service connections

AdapterAdapter [TRUSTED]
SourceMY Net
DestinationMY Net
ServiceNETBIOS-SSN
ApplicationSYSTEM
Settings

File and Printer Sharing > Inbound

  • Yes (default)
  • No

File and Printer Sharing - SMB-In Outbound rule for File and Printer Sharing to allow Server Message Block transmission and reception via Named Pipes

AdapterAdapter [TRUSTED]
SourceMY Net
DestinationlocalIP
ServiceCIFS
ApplicationSYSTEM
Settings

File and Printer Sharing > Inbound

  • Yes (default)
  • No
Local

These are custom defined rules for other applications, networks, and network locations.

Outbound

Internet

Adapter 
SourcelocalIP
DestinationAny
ServiceWEB
ApplicationAny
Settings

Internet > Web access

  • Yes (default)
  • No
Last updated on