This post is a continuous post from previous one Barracuda CloudGen Firewall F12 Initial Configuration Lab.
In this post, I am gonna show you how to configure WAN / LAN interfaces, how to create your own forwarding access rule, plus Destination NAT rule.
Related post:
Topology
Configure Interfaces
- LAN - Port 2
- WAN - Port 4
Firewall Rule Settings
Traffic Criteria
|
Setting |
Description |
|
Bi-Directional |
If the rule must
be applied to traffic going
to and from the specified source and destination, select this check
box. |
|
Source |
The source IP addresses of the traffic. |
|
Service |
The IP protocol used
or, with TCP/UDP, the relevant IP protocol and port for
the traffic. |
|
Destination |
The destination IP addresses/netmask of the traffic. |
|
Authenticated User |
The
authenticated users and groups who are affected by this rule. For more information, see Firewall
Authentication. If the rule requires user authentication at the firewall, the
rule is depicted with an icon
in the Name column in the rule overview window. |
Rule Activation
|
Setting |
Description |
|
Dynamic Rule |
If the rule must
be dynamically activated and deactivated for set periods
of time, select this check box. For more
information on configuring dynamic rules, see
How to Activate a Dynamic Firewall Rule. |
|
Deactivate Rule |
To deactivate the rule, select
this check box. To reactivate the rule, clear
this check box. To hide inactive rules in the rule set, click the Show/Hide Inactive Rules icon
in the navigation bar. It is the first
icon on the top right
of the rule
set. |
Action and Connection
- Block
- Deny
- Pass
- DST NAT
- MAP
- App Redirect
- Broad-Multicast
- Cascade
|
Action |
Description |
|
Block |
Ignores the traffic and does not answer any matching packets. |
|
Deny |
Dismisses traffic and sends the following: • TCP-RST (for TCP requests) • ICMP Port Unreachable (for UDP requests) • ICMP Denied
by Filter (for
other IP protocols) to the source. |
|
Pass |
Passes the
network traffic to the specified destination. |
|
Dst NAT |
Rewrites
the destination IP address and port. You can specify the connection type; this
lets you use
source NAT and destination NAT
together. |
|
Map |
Maps one
destination IP address or subnet to another IP object. The map is also available the reversed way. For this
action, you can select either
client (destination NAT) or any predefined translation map for the connection type. |
|
App Redirect |
Redirects the
traffic to a local application (transparent proxying).
Advanced parameters and timeouts of this type
behave like in the local
firewall. |
|
Broad Multicast |
Propagates the traffic to multiple interfaces. This action is only needed
with bridging. |
|
Cascade |
Specifies that the traffic
must be processed by a subset of the main rule set. |
|
Cascade Back |
If the traffic does not match any rules in a rule subset specified by a Cascade rule, use this action
to direct traffic
handling to the main rule
set. |
|
Execute |
The traffic is piped into the STanDard IN (STDIN) of a program
running on the server. |
Depending on the Action of the rule, you can select a Connection
Method that specifies how the source,
destination, or service of the traffic is manipulated as it passes the Barracuda
NG Firewall. This setting typically
specifies the outgoing source IP address for address translation. The following Connection Method options are available:
|
Connection Method |
Description |
|
<explicit-conn> |
Lets you define the IP address
used to perform
source network address translation (NAT). |
|
Dynamic Scr NAT |
Performs
source NAT for the defined
connection. The source IP address of network packets will be manipulated
dynamically, according to the routing table
of the Barracuda NG Firewall. |
|
Loopback |
Performs source
NAT with the loopback IP address of 127.0.0.1. |
|
No Src NAT |
No source NAT is
performed. |
|
Source
NAT with DHCP | ISDN | UMTS | xDSL |
Performs source NAT with the IP address of the specified
network interface type (DHCP, ISDN,
UMTS, or xDSL). The firewall does not perform a routing table
lookup. |
|
Source NAT with VIP |
Performs source
NAT with the VIP address
of the remote
management tunnel. The firewall does
not perform a routing table
lookup. |
|
Src NAT 1st Server
IP |
Performs
source NAT with the 1st Server IP address. The firewall does not
perform a routing
table lookup. |
|
Src NAT 2nd Server
IP |
Performs
source NAT with the 2nd Server IP address. The firewall does not
perform a routing table. |
Traffic Modification and Inspection
These settings specify if the traffic is modified or inspected:
|
Setting |
Description |
|
Redirect Target |
This setting
is for rules
with the Action set
to Dst Nat, App Redirect, or Map. In this section, you can specify
the outgoing destination IP address for address translation. |
|
|
You can select
the following policies: |
|
|
• |
|
|
IPS Policy – The traffic is inspected by the IPS engine according to the selected |
|
|
IPS policy. |
|
|
• |
|
|
Application Policy – The traffic is inspected according to the selected application |
|
|
policy. For more information, see
Layer 7 Application Control. |
|
Policy |
• |
|
|
Time Objects – If Dynamic
Rule is enabled,
select the required
Time Object. |
|
|
• |
|
|
QoS Band (Fwd) –
Traffic in the forward direction is handled according to the |
|
|
selected QoS Band. For more information,
see Traffic Shaping. |
|
|
• |
|
|
QoS Band (Reply) – Traffic in the reverse direction is handled according to the |
|
|
selected QoS Band. |
Configure Pass Forwarding Firewall Rule
Configure Destination NAT Firewall Rule
A Dst NAT access rule redirects traffic that is sent to an external IP address to a destination in the internal network. The following example shows a Dst NAT rule allowing HTTP and HTTPS access from the Internet to a server in the DMZ (172.16.0.10). The redirect target can be a single IP address or hostname, or a network object. Hostnames and IP addresses can be appended with a port number to redirect the traffic to a different port.
No comments:
Post a Comment