Barracuda Basic Firewall Access-list Policy Lab - NETSEC


Learning, Sharing, Creating

Cybersecurity Memo

Saturday, December 24, 2022

Barracuda Basic Firewall Access-list Policy Lab

This post is a continuous post from previous one Barracuda CloudGen Firewall F12 Initial Configuration Lab.

In this post, I am gonna show you how to configure WAN / LAN interfaces, how to create your own forwarding access rule, plus Destination NAT rule. 

Related post:



Online PNG Format Topology Diagram:

Configure Interfaces

In our previous post Barracuda CloudGen Firewall F12 Initial Configuration Lab, we already have configured our mgmt port , Port 1. Now, based on our topology, we are going to configure other two ports:
  • LAN - Port 2
  • WAN - Port 4
Go to Configuration - IP Configuration - Shared Networks and IPs:

Add LAN and WAN interfaces in with corresponding configuration:

For easy troubleshooting purpose, don't forget enable the option: Responds to ping, when you are configuring LAN/WAN port. That will make your firewall LAN/WAN port ping-able. 

Firewall Rule Settings

Traffic Criteria

 These settings define the traffic that will be handled by the rule:




If the rule must be applied to traffic going to and from the specified source and destination, select this check box.


The source IP addresses of the traffic.


The IP protocol used or, with TCP/UDP, the relevant IP protocol and port for the traffic.


The destination IP addresses/netmask of the traffic.


Authenticated User

The authenticated users and groups who are affected by this rule. For more information, see Firewall Authentication. If the rule requires user authentication at the firewall, the rule is depicted with an icon in

the Name column in the rule overview window.


Rule Activation

 These settings specify if the rule is active and how long it should be active: 




Dynamic Rule

If the rule must be dynamically activated and deactivated for set periods of time, select this check box. For more information on configuring dynamic rules, see How to Activate a Dynamic Firewall Rule.



Deactivate Rule

To deactivate the rule, select this check box. To reactivate the rule, clear this check box.


To hide inactive rules in the rule set, click the Show/Hide Inactive Rules icon in the navigation bar. It is the first icon on the top right of the rule set.

Action and Connection

 The Action setting specifies how the Barracuda NG Firewall handles traffic that matches the rule criteria. These are the options that you can select:

There are quite a few different actions for your rules, 
  • Block
  • Deny
  • Pass
  • MAP
  • App Redirect
  • Broad-Multicast
  • Cascade




Ignores the traffic and does not answer any matching packets.




Dismisses traffic and sends the following:

  TCP-RST (for TCP requests)

ICMP Port Unreachable (for UDP requests)

  ICMP Denied by Filter (for other IP protocols) to the source.


Passes the network traffic to the specified destination.


Rewrites the destination IP address and port. You can specify the connection type; this lets you use source NAT and destination NAT together.



Maps one destination IP address or subnet to another IP object. The map is also available the reversed way.

For this action, you can select either client (destination NAT) or any predefined translation map for the connection type.


App Redirect

Redirects the traffic to a local application (transparent proxying).


Advanced parameters and timeouts of this type behave like in the local firewall.

Broad Multicast

Propagates the traffic to multiple interfaces. This action is only needed with bridging.


Specifies that the traffic must be processed by a subset of the main rule set.

Cascade Back

If the traffic does not match any rules in a rule subset specified by a Cascade

rule, use this action to direct traffic handling to the main rule set.


The traffic is piped into the STanDard IN (STDIN) of a program running on the server.

Depending on the Action of the rule, you can select a Connection Method that specifies how the source, destination, or service of the traffic is manipulated as it passes the Barracuda NG Firewall. This setting typically specifies the outgoing source IP address for address translation. The following Connection Method options are available:


Connection Method



Lets you define the IP address used to perform source network address translation (NAT).


Dynamic Scr NAT

Performs source NAT for the defined connection. The source IP address of network packets will be manipulated dynamically, according to the routing table of the Barracuda NG Firewall.


Performs source NAT with the loopback IP address of

No Src NAT

No source NAT is performed.

Source NAT with DHCP | ISDN | UMTS | xDSL

Performs source NAT with the IP address of the specified network interface type (DHCP, ISDN, UMTS, or xDSL). The firewall does not perform a routing table lookup.

Source NAT with VIP

Performs source NAT with the VIP address of the remote management tunnel. The firewall does not perform a routing table lookup.

Src NAT 1st Server IP

Performs source NAT with the 1st Server IP address. The firewall does not perform a routing table lookup.

Src NAT 2nd Server IP

Performs source NAT with the 2nd Server IP address. The firewall does not perform a routing table.


Traffic Modification and Inspection

These settings specify if the traffic is modified or inspected: 



Redirect Target

This setting is for rules with the Action set to Dst Nat, App Redirect, or Map. In this section, you can specify the outgoing destination IP address for address translation.


You can select the following policies:



IPS Policy The traffic is inspected by the IPS engine according to the selected


IPS policy.



Application Policy The traffic is inspected according to the selected application


policy. For more information, see Layer 7 Application Control.



Time Objects If Dynamic Rule is enabled, select the required Time Object.



QoS Band (Fwd) Traffic in the forward direction is handled according to the


selected QoS Band. For more information, see Traffic Shaping.



QoS Band (Reply) Traffic in the reverse direction is handled according to the


selected QoS Band.


Configure Pass Forwarding Firewall Rule

In this lab, we are gonna create a pass action rule, which is Allow rule in other vendor's firewall. 

Pass access rule permits traffic for a specific Service coming from the Source to access the selected Destination . For the Source and Destination , you can specify network objects, IP addresses, networks, or geolocation objects .



Configure Destination NAT Firewall Rule

A Dst NAT access rule redirects traffic that is sent to an external IP address to a destination in the internal network. The following example shows a Dst NAT rule allowing HTTP and HTTPS access from the Internet to a server in the DMZ ( The redirect target can be a single IP address or hostname, or a network object. Hostnames and IP addresses can be appended with a port number to redirect the traffic to a different port.



No comments:

Post a Comment