User manual BARRACUDA COMMAND LINE REV 1.1 INTERFACE GUIDE

[. . . ] Command Line Interface Guide Barracuda NG Firewall Revision 1. 1 Barracuda Networks Inc. Winchester Blvd Campbell, CA 95008 http://www. barracuda. com Copyright Notice Copyright 2004-2010, Barracuda Networks www. barracuda. com v4. x-090623-06-1119 All rights reserved. Information in this document is subject to change without notice. Trademarks Barracuda NG Firewall is a trademark of Barracuda Networks. All other brand and product names mentioned in this document are registered trademarks or trademarks of their respective holders. 2 Barracuda NG Firewall - Command Line Interface Guide Contents Chapter 1 - I n t r o d u c t i o n . [. . . ] Two important files, boxadmin. conf and boxnet. conf, are sitting within this directory. 38 Barracuda NG Firewall - Command Line Interface Guide 5. 3. 2 "Configroot" Directory Directory for the GUI's management configuration tree. 5. 3. 3 "History" Directory Contains DB files for internal use only. Absolutely not to be changed manually. Do not make any changes to this directory. 5. 3. 4 "Sessions" Directory Whenever a session is opened, all session based information is stored here. 5. 3. 5 "Update" Directory All files needed for synching with another box (e. g. HA) are stored here. Configuration Files and Tree 39 40 Barracuda NG Firewall - Command Line Interface Guide Chapter 6 Network Activation General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 Networking Layer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 Configuration Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 Network Activation 41 6. 1 General This chapter is about activating a new network configuration using the console. Which files can be changed? 6. 2 Networking Layer The networking layer is installed along with the etc_box package. It is called phionetc_box because almost all relevant files are located within the /etc/phion directory. The main purpose of this package is controlling every part of the system that communicates using the network. Along with the software modules, there are further packages, such as openssh or ntp, that retrieve their configuration from NGFW scripts and whose modules are started by these scripts. 6. 3 Configuration Files There are three configuration files used to control the network behavior of the system: · · · 6. 3. 1 Options 6. 3. 2 boxadm. conf, page 43 6. 3. 3 boxnet. conf, page 43 6. 3. 1 Options This is the only configuration file not managed by Barracuda NG Admin. Fig. BOX_NETWORK="Y" # Number of retries to bring up all devices, sometimes useful for token ring devices NET_RETRY=0 # should the phion subsystem be started ?PHION_START="Y" #for some historical reason: should the NetDB subsystem be started?NETDB_START="N" # for advanced Servers START_ORA="N" #Y/N start ORACLE on BOOT START_ADABAS="N" #Y/N start ADABAS on BOOT Table 6­3 Parameters in the options file Parameter BOX_NETWORK NET_RETRY PHION_START NETDB_START Options Y/N numerical Y/N Y/N Default Y 0 Y N Description If set to "N", nothing will happen when trying to start networking. If set to "N", the Barracuda operative layer will not start. Use this if a box is running without proprietary Barracuda NGFW software. Only of use when using a box with NetDB database on it. 42 Barracuda NG Firewall - Command Line Interface Guide 6. 3. 2 boxadm. conf Contains parameters related to services that don't require a network restart in order to get activated (e. g. Additionally, this file contains information about box services (box tuning). Fig. 6­39 Example for boxadmin. conf content ACLLIST[] = DNSSERVER[] = 212. 86. 0. 4 DOMAIN = phion. qa INACTFLAG = n NTPEVT = 0 RPASSWD = $1$someMD5encryption SPASSWD = $1$someMD5encryption STARTNTP = y SYNC = y TMASTER[] = 10. 0. 0. 33 TZONE = Europe/Vienna UTC = y [rootalias_mbr] AUTHLEVEL = 0 NAME = mbr PASSWD = $1$goelga$9ysSYZ4X. qpJqn8k0KpsC. PUBKEY = -----BEGIN RSA PUBLIC KEY----MIGJAoGBAOV2ltrcBSa4mV3S0ni6P6K9RTIWHG3aMoolsAQNEsImcReUqhdc+QQ2 kCHHHJ5HWpBc0ePF6P+nrv0Pgw3SZHcV3mA7L1JeHs2XEqvndnVlvA+uNhnbMVBD o/yUhq4Vwdgmu3OiUlspJhgRnCapRIvSAmoARNPWoGA/tw8HgJdTAgMBAAE= -----END RSA PUBLIC KEY----[rootalias_pmr] AUTHLEVEL = 0 NAME = pmr PASSWD = $1$djoanl$BPvPXlA87meC4. JVNljcP. PUBKEY = -----BEGIN RSA PUBLIC KEY----MIGJAoGBAM2dG/OHlJCdIASXy4DmOWb23u4SJr2q/BzalLDM31m9kc/zsKAbZasU Yevr86H7yZ2qqtILywycsCYKuYATZe37QlO30vyh+VCphgumwbfVXl9fkAeJUrzM XGNRUWpwiDCl4vEpGl0b5gHka/XjKdsM4RmXAE6k+6+5sAuIrZqPAgMBAAE= -----END RSA PUBLIC KEY----- 6. 3. 3 boxnet. conf Contains information about dealing with network connections, such as host name, network devices, IP addresses and routing information. Fig. 6­40 Example for boxnet. conf content HOSTNAME = mybox RAM = n VIP = [addnet_212er] BIND = y CRIT = n DEV = eth1 IP = 212. 86. 0. 112 MASK = 8 NAME = 212er PING = y [addroute_default1] DEST = 212. 86. 0. 100 DEV = FOREIGN = y MASK = 32 NAME = default1 PREF = 100 SRC = TARGET = 0. 0. 0. 0 TYPE = gw [addroute_default2] DEST = 212. 86. 1. 100 DEV = FOREIGN = y MASK = 32 NAME = default2 PREF = 200 FOREIGN = y MASK = 8 NAME = dev2 PREF = SRC = TARGET = 212. 86. 1. 0 TYPE = dev [addroute_devnet] DEST = 10. 0. 0. 101 DEV = FOREIGN = y MASK = 8 NAME = devnet PREF = SRC = TARGET = 10. 0. 3. 0 TYPE = gw [boxnet] DEV = eth0 IP = 10. 0. 0. 181 MASK = 8 [cards_10realtek] BLTIN = module MOD = 8139too. o NAME = 10realtek NUM = 2 TYPE = eth Network Activation 43 44 Barracuda NG Firewall - Command Line Interface Guide Chapter 7 Verification Scripts /etc/phion/bin/verify . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 Verification Scripts 45 7. 1 /etc/phion/bin/verify This script checks the logical consistency of the boxnet. conf and boxadm. conf files. [. . . ] At the position of the Command parameter, enter for example: phionrcscleanup--path=/opt/phion/ rangetree/configroot/Revision --months=6 · Specify the scheduling times. 18. 2. 2 Example 2 Set up a cron job using the command line: Fig. 18­68 * * * * * command to be executed ----||||| | | | | ----- Day of week (0 - 7) (Sunday=0 or 7) | | | ------- Month (1 - 12) | | --------- Day of month (1 - 31) | ----------- Hour (0 - 23) ------------- Minute (0 - 59) Fig. 18­69 Example for CC crontab -e * * 1 * * phionctrl module block rangeconf; /opt phion/bin/phionrcscleanup -- path=/opt/phion/rangetree/configroot/Revision -months=1; phionctrl module start rangeconf; Fig. 18­70 Example for HA-CC crontab -e * * 1 * * phionctrl module block rangeconf; /opt * * 1 * * phionctrl box block boxconfig; phionctrl module block rangeconf; /opt phion/bin/phionrcscleanup -- path=/opt/phion/rangetree/configroot/Revision -months=1; phionctrl module start rangeconf; phionctrl box start boxconfig; phionrcscleanup 89 18. 2. 3 Example 3 Place a script in one of the cron directories in /etc/cron. * to start the job daily, hourly, weekly or monthly: Fig. [. . . ]