Baracuda CLI

Command Line Interface Guide Barracuda NG Firewall Revision 1.2 Barracuda Networks Inc. 3175 S. Winchester Blvd Campbell, CA 95008 http://www.barracuda.com Copyright Notice Copyright 2004-2010, Barracuda Networks www.barracuda.com v4.x-090623-06-1119 All rights reserved. Use of this product and this manual is subject to license. Information in this document is subject to change without notice. Trademarks Barracuda NG Firewall is a trademark of Barracuda Networks. All other brand and product names mentioned in this document are registered trademarks or trademarks of their respective holders. 2 Barracuda NG Firewall - Command Line Interface Guide Contents Chapter 1 - I n t r o d u c t i o n . . . . . . . . . . . . . . . . . . . . . . . . . 7 General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Chapter 2 - p h i o n c t r l . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 General . . . . . . . phionctrl route. . . . phionctrl server . . . phionctrl service . . phionctrl module . . phionctrl ip . . . . . phionctrl arp. . . . . phionctrl tell . . . . . phionctrl proc show . phionctrl hostid . . . phionctrl lic . . . . . phionctrl session . . phionctrl usage . . . phionctrl box . . . . phionctrl versions . . phionctrl. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 10 11 14 15 17 18 19 19 20 21 22 22 23 25 25 Chapter 3 - a c p f c t r l . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 General . . . . . . . acpfctrl start. . . . . acpfctrl stop . . . . . acpfctrl parp show . acpfctrl noping show acpfctrl bacl show. . acpfctrl lproto show . acpfctrl realm show . acpfctrl device . . . acpfctrl sync . . . . acpfctrl plugdebug . acpfctrl param. . . . acpfctrl version . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 28 28 29 29 29 29 29 30 30 30 31 31 Chapter 4 - O p e r a t i v e S t r u c t u re . . . . . . . . . . . . . . . . . . . 33 Static Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 Dynamic Data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 3 Chapter 5 - C o n f i g u r a t i o n F ile s a n d T re e . . . . . . . . . . . . 35 General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 Configuration Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 Configuration Tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 Chapter 6 - N e t w o r k A c t i va t io n . . . . . . . . . . . . . . . . . . . 41 General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 Networking Layer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 Configuration Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 Chapter 7 - V e r i f i c a t i o n S c rip t s . . . . . . . . . . . . . . . . . . . 45 /etc/phion/bin/verify . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 Chapter 8 - A c t i v a t e . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 Manual Configuration Change Using the Activate Command . . . . . . . . . . . 48 Processes Invoked by NG Admin on Configuration Change . . . . . . . . . . . . 48 Chapter 9 - A c t i v a t i o n S c rip t s . . . . . . . . . . . . . . . . . . . . 51 General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52 /etc/rc.d/init.d/phion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52 Chapter 1 0 - D y n a m i c N e t wo rk St a rt a n d St o p Sc rip t s . . 55 General . . . . . . . xDSL Connections . DHCP Connections . ISDN Connections . UMTS Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56 56 56 57 57 Chapter 1 1 - m a i l c l t . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59 General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60 mailclt options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60 Chapter 1 2 - s h o w b d b . . . . . . . . . . . . . . . . . . . . . . . . . . 61 General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62 showbdb . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62 Chapter 1 3 - s t a t c h e c k . . . . . . . . . . . . . . . . . . . . . . . . . 65 General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66 statcheck . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66 4 Barracuda NG Firewall - Command Line Interface Guide Chapter 1 4 - a d m i n t c p d u mp . . . . . . . . . . . . . . . . . . . . . . 69 General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70 Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70 Chapter 1 5 - M a i n t a i n i n g Re c ip ie n t Da t a b a s e s . . . . . . . . 71 General . . . . . . . . . . . . . . . . . . . . Creating Recipient Database . . . . . . . . . Adding E-Mail Addresses . . . . . . . . . . . Viewing Databases . . . . . . . . . . . . . . Configuring Utilization of Recipient Database Updating Recipient Database. . . . . . . . . Backing Up Recipient Databases. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72 72 72 72 73 73 73 Chapter 1 6 - c o n f t o o l . . . . . . . . . . . . . . . . . . . . . . . . . . 75 General . . . . . . . . . . . . . . . . . . . . . . . . . . conftool commands . . . . . . . . . . . . . . . . . . . . conftool options [rmc] for Barracuda NG Control Centers Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76 76 76 77 Chapter 1 7 - p h i o n a r - A r ch iv e T o o l . . . . . . . . . . . . . . . . 79 General . . . . . . . . . . . . phionar . . . . . . . . . . . . Creating PAR Files for Backup Emergency Restore. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80 80 84 85 Chapter 1 8 - p h i o n r c s c l e a n u p . . . . . . . . . . . . . . . . . . . . 87 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88 How to Set Up as Cron Job. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89 Chapter 1 9 - L i n u x N e t w o rk in g Co mma n d s . . . . . . . . . . . 91 General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92 ip . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92 tcpdump. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93 5 6 Barracuda NG Firewall - Command Line Interface Guide Chapter 1 Introduction General ..................................................................................... 8 Requirements ............................................................................ 8 Introduction 7 1.1 General The CLI (Command Line Interface) tools become vital when a box is inaccessible with the graphical administration tool NG Admin. They are also helpful for scripting purposes. Everything needed is SSH access to the box (configurable through parameter Shell Level in the Box Administrators configuration) and a Control Center machine that is allowed to manage the box (configurable through parameter ACL in the Box Settings configuration). Please consult the Barracuda NG Firewall Administrator’s Guide for detail information. Typically, information is dumped to the display, the standard output (stdout). If necessary, information can be piped to a file. To pipe information to a file instead of the stdout, type the command and append “>” /path/filename (e.g. /tmp/route). This will redirect the file to the /tmp directory, and the output of the command will be written into the file. (cf. “Learning The bash Shell, 2nd Edition by Cameron Newham, Bill Rosenblatt, O’Reilly” - ISBN 1-56592-347-2). Example: [root@mybox:~] phionctrl route show > /path/filename The piping function might facilitate error localisation. You may pipe a command’s output to a file and mail this file to Barracuda Networks support (support@barracuda.com) in case of a problem. 1.2 Requirements The following requirements must be met in order to gain access to the command line interface: • • A console attached to the box or SSH access An authorized user ID (root) and corresponding login password Shell access must be configured. An administrator does actually not have shell access in multi administrator environments • • • • 8 Box IP or DNS name An SSH daemon running on the box An SSH client (e.g. putty.exe for Microsoft Windows® or SSH for Linux/Unix) Barracuda NG Admin Barracuda NG Firewall - Command Line Interface Guide Chapter 2 phionctrl General ................................................................................... 10 phionctrl route ......................................................................... 10 phionctrl server ....................................................................... 11 phionctrl service ...................................................................... 14 phionctrl module...................................................................... 15 phionctrl ip............................................................................... 17 phionctrl arp ............................................................................ 18 phionctrl tell............................................................................. 19 phionctrl proc show ................................................................. 19 phionctrl hostid ........................................................................ 20 phionctrl lic .............................................................................. 21 phionctrl session ..................................................................... 22 phionctrl usage........................................................................ 22 phionctrl box............................................................................ 23 phionctrl versions .................................................................... 25 phionctrl .................................................................................. 25 phionctrl 9 2.1 General phionctrl is a very powerful tool for command line box management. For a list of all phionctrl options you may type: [root@mybox:~] phionctrl Fig. 2–1 List of all phionctrl options [root@Bart:~]# phionctrl usage: phionctrl route [show] usage: phionctrl server [show|start|stop|restart|block|unblock] server-name usage: phionctrl service [show|start|stop|restart|block] server-name service-name usage: phionctrl module [show|start|stop|restart|block] module-name usage: phionctrl ip [show|add|del] ip-address usage: phionctrl arp [ip-address | all] usage: phionctrl tell ip-address usage: phionctrl proc show [name|pid] phionctrl proc kill name signal phionctrl proc deepkill pid signal usage: phionctrl hostid usage: phionctrl lic [modules] usage: phionctrl session [show|kill] pid usage: phionctrl usage sample-time [r] usage: phionctrl box show usage: phionctrl versions [module] usage: phionctrl [startup|shutdown] 2.2 phionctrl route 2.2.1 phionctrl route show Sends a list of all active IP addresses, gateways, main routes, VPN interfaces and, if the VPN service is running, their IP addresses, to the standard output (stdout). Fig. 2–2 Example for phionctrl route show output [root@Bart:~]# phionctrl route show ---------- Active IPs --------------10.0.8.112/8 eth0:mip0 UP 00-02-55-fa-96-5c 10.0.8.201/0 eth0:BorderPX UP 00-02-55-fa-96-5c 127.0.0.1/8 lo:loop UP 00-00-00-00-00-00 127.0.1.1/8 tap0:fw UP fe-fd-00-00-00-00 127.0.2.1/8 tap1:vpn UP fe-fd-00-00-00-00 127.0.3.1/8 tap2:vpnpers UP fe-fd-00-00-00-00 169.254.1.11/0 tap1:aux1 tap2:aux2 UP fe-fd-00-00-00-00 ---------- Active Routing Tables ---vpnlocal main up metric 0 up metric 0 up metric 0 up metric 0 off metric 0 off metric 0 off metric 0 0 0 device table main device table main device table main device table main device table main device table main device table main 127.0.1.0/8 foreign Name= 127.0.3.0/8 foreign Name= 127.0.2.0/8 foreign Name= 10.0.8.0/8 foreign Name=boxnet 62.99.0.0/8 foreign Name=eth1 194.93.0.0/8 foreign Name=eth2 172.16.0.0/8 foreign Name=eth3 dev tap0 src 127.0.1.1 dev tap2 src 127.0.3.1 dev tap1 src 127.0.2.1 dev eth0 src 10.0.8.112 dev eth1 src 0.0.0.0 dev eth2 src 0.0.0.0 dev eth3 src 0.0.0.0 prov1 0 POLICY from 62.99.0.0/8 off gateway 0.0.0.0/32 dev via 62.99.0.254 src 0.0.0.0 metric 0 table prov1 foreign Name=prov1 prov2 0 POLICY from 194.93.0.0/8 off gateway 0.0.0.0/32 dev via 194.93.0.254 src 0.0.0.0 metric 0 table prov2 foreign Name=prov2 default 10 0 Barracuda NG Firewall - Command Line Interface Guide 2.3 phionctrl server Handles the running servers. It displays server names and manages information about their current state and corresponding services. 2.3.1 phionctrl server show server Displays the current server state and the effective server configuration. The server-name value is used as a parameter with other commands explained below. Fig. 2–3 Example for phionctrl server show output [root@Bart:~]# phionctrl server show BartFW state=block active=0 other=secondary task=primary Boxes: Bart(10.0.8.112) Maggie(10.0.8.114) Server IPs: 10.0.8.100 172.16.0.100 194.93.0.100 62.99.0.100 Active IPs: Server Services: BVPN BartFW Active Services: Blocked Services: BorderPX state=primary active=1 other=down task=primary Boxes: Bart(10.0.8.112) Maggie(10.0.8.114) Server IPs: 10.0.8.201 Active IPs: 10.0.8.201 Server Services: PXBord Active Services: PXBord Blocked Services: Table 2–1 State Description down The server is not running at the moment. primary/secondary The server is running as a primary or secondary box in a HA (High Availability) environment. blocked The server is blocked. Table 2–2 State Description 0 The server is inactive. 1 The server is active. 2.3.2 phionctrl server start Starts a specified server. The name of the server to be started must be supplied with the command. phionctrl 11 In the example below, the server named "mc" is going to be started. Fig. 2–4 Example for phionctrl server start output [root@ash:~]# phionctrl server show mc state=down active=0 other=unknown task=primary Box: ash(10.0.10.10) Server IPs: 10.0.10.11 Active IPs: Server Services: Conf DNS Event Log PKI StatC StatV VPN mFW Active Services: Blocked Services: [root@ash:~]# phionctrl server start mc [root@ash:~]# phionctrl server show mc state=primary active=1 other=unknown task=primary Box: ash(10.0.10.10) Server IPs: 10.0.10.11 Active IPs: 10.0.10.11 Server Services: Conf DNS Event Log PKI StatC StatV VPN mFW Active Services: Conf DNS Event Log PKI StatC StatV VPN mFW Blocked Services: 2.3.3 phionctrl server stop Stops the specified server and all depending services. Sending stop to an already stopped server will be ignored. Keep in mind that the control daemon will restart a stopped server within a few seconds. If you wish to stop the server permanently, then use the "block" command instead. In the example below, the server named "mc" and all running services are stopped. Fig. 2–5 Example for phionctrl server stop output [root@ash:~]# phionctrl server show mc state=primary active=1 other=unknown task=primary Box: ash(10.0.10.10) Server IPs: 10.0.10.11 Active IPs: 10.0.10.11 Server Services: Conf DNS Event Log PKI StatC StatV VPN mFW Active Services: Conf DNS Event Log PKI StatC StatV VPN mFW Blocked Services: [2005-10-05 17:54 CEST] [-root shell-] [-powered by Barracuda-] [root@ash:~]# phionctrl server stop mc [2005-10-05 17:54 CEST] [-root shell-] [-powered by Barracuda-] [root@ash:~]# phionctrl server show mc state=down active=0 other=unknown task=primary Box: ash(10.0.10.10) Server IPs: 10.0.10.11 Active IPs: Server Services: Conf DNS Event Log PKI StatC StatV VPN mFW Active Services: Blocked Services: 2.3.4 phionctrl server restart Use this command whenever restarting certain services becomes necessary, e.g. after doing configuration changes. You may verify the control daemin managed restarting function by sending the stop command to the server and then reviewing server and services getting restarted automatically. 2.3.5 phionctrl server block Blocks the specified server so that the control daemon will not restart it. Server and all corresponding services will permanently be unavailable. 12 Barracuda NG Firewall - Command Line Interface Guide In the example below, the server named "mc" is blocked (state switches to "block" and activity to "0"): Fig. 2–6 Example for phionctrl server block output [root@ash:~]# phionctrl server show mc state=primary active=1 other=unknown task=primary Box: ash(10.0.10.10) Server IPs: 10.0.10.11 Active IPs: 10.0.10.11 Server Services: Conf DNS Event Log PKI StatC StatV VPN mFW Active Services: Conf DNS Event Log PKI StatC StatV VPN mFW Blocked Services: [2005-10-05 18:25 CEST] [-root shell-] [root@ash:~]# phionctrl server block mc [2005-10-05 18:25 CEST] [-root shell-] [root@ash:~]# phionctrl server show mc state=block active=0 other=unknown task=primary Box: ash(10.0.10.10) Server IPs: 10.0.10.11 Active IPs: Server Services: Conf DNS Event Log PKI StatC StatV VPN mFW Active Services: Blocked Services: 2.3.6 phionctrl server unblock Unblocks a specified server. The server will remain down after unblocking until the control daemon starts it again. It is also possible to send the stop command to unblock a server. The control daemon will then start it again. In the example below, the blocked server is unblocked: Fig. 2–7 Example for phionctrl server unblock output [root@ash:~]# phionctrl server show mc state=block active=0 other=unknown task=primary Box: ash(10.0.10.10) Server IPs: 10.0.10.11 Active IPs: Server Services: Conf DNS Event Log PKI StatC StatV Active Services: Blocked Services: [2005-10-06 11:14 CEST] [-root shell-] [root@ash:~]# phionctrl server unblock mc [2005-10-06 11:15 CEST] [-root shell-] [root@ash:~]# phionctrl server show mc state=down active=0 other=unknown task=primary Box: ash(10.0.10.10) Server IPs: 10.0.10.11 Active IPs: Server Services: Conf DNS Event Log PKI StatC StatV Active Services: Blocked Services: [2005-10-06 11:15 CEST] [-root shell-] [root@ash:~]# phionctrl server start mc [2005-10-06 11:15 CEST] [-root shell-] [root@ash:~]# phionctrl server show mc state=primary active=1 other=unknown task=primary Box: ash(10.0.10.10) Server IPs: 10.0.10.11 Active IPs: 10.0.10.11 Server Services: Conf DNS Event Log PKI StatC StatV Active Services: Conf DNS Event Log PKI StatC StatV Blocked Services: VPN mFW VPN mFW VPN mFW VPN mFW Be aware that a server that has been unblocked is not automatically becoming up and running. Its state is down. It must receive a start command in order to become available for handling requests. In the example, the server has been unblocked first and started afterwards. The field state has accordingly switched from "blocked" to "down" and then from "down" to "secondary". The active state has switched from "0" to "1". phionctrl 13 2.4 phionctrl service May be used for the individual manipulation of services on a specific server. Use this if a shutdown of all available services on a server should to be avoided. 2.4.1 phionctrl service show Displays all servers and their running services on a box. Fig. 2–8 Example for phionctrl service show output [root@ash:~]# phionctrl service show server mc Conf up numProc=6 numFD=47 mem=11096kB DNS up numProc=2 numFD=14 mem=2072kB Event up numProc=2 numFD=13 mem=2276kB Log up numProc=1 numFD=4 mem=1148kB PKI up numProc=1 numFD=6 mem=1604kB StatC up numProc=1 numFD=4 mem=1688kB StatV up numProc=1 numFD=6 mem=1536kB VPN up numProc=1 numFD=8 mem=2064kB mFW up numProc=1 numFD=3 mem=352kB 2.4.2 phionctrl service start Start a service manually. If the service is not blocked, then it will be started automatically by the control daemon. 2.4.3 phionctrl service stop Stop a service on a specific server. If the service has not been blocked, it will started automatically later by the control daemon. 2.4.4 phionctrl service restart Restart a service on a specific server. This might be required after doing manual configuration file changes. 14 Barracuda NG Firewall - Command Line Interface Guide 2.4.5 phionctrl service block Block a service not to be started automatically by the control daemon. You may start the service later by using the start command, or by unblocking it with the stop command. The control daemon will then start the service automatically. Fig. 2–9 Example for phionctrl service block output [root@ash:~]# phionctrl service show server mc Conf up numProc=7 numFD=113 mem=15140kB DNS up numProc=2 numFD=14 mem=2080kB [root@ash:~]# phionctrl service block mc DNS [2005-10-06 11:31 CEST] [-root shell-] [-powered by phion IT-] [root@ash:~]# phionctrl service show server mc Conf up numProc=7 numFD=113 mem=15140kB DNS block numProc=0 numFD=0 mem=0kB 2.5 phionctrl module This command and its parameters are used for manipulation of software modules. Amongst others, the following software modules exist: • • • • • • • • • • • • • • • • firewall cfirewall dhcpe dhcprelay ftpgw ospf policyserver spamfilter sshprx virscan vpnserver dns snmp proxy cfirewall mailgw Stopping of the execution of modules is often necessary when tasks are updated. Stopping a module does not only stop the main service provided by the module but also all related child processes. 2.5.1 phionctrl module show Displays the state of a specified software module on a server. The command can only be used to obtain information about modules being definitely installed. Fig. 2–10 Example for phionctrl module show output [root@ash:~]# phionctrl module show dns server mc DNS block numProc=0 numFD=0 mem=0kB [2005-10-06 13:13 CEST] [-root shell-] [root@ash:~]# phionctrl module show firewall server mc mFW up numProc=1 numFD=3 mem=352kB phionctrl 15 2.5.2 phionctrl module start Starts all services bound to a specified module. Fig. 2–11 Example for phionctrl module start output [root@ash:~]# phionctrl module show firewall server mc mFW block numProc=0 numFD=0 mem=0kB [2005-10-06 14:10 CEST] [-root shell-] [root@ash:~]# phionctrl module start firewall [2005-10-06 14:10 CEST] [-root shell-] [root@ash:~]# phionctrl module show firewall server mc mFW up numProc=1 numFD=3 mem=352kB As shown in Fig. 2–11, the service "mFW" (firewall) is down. It uses no processes and no memory. The service is reactivated again by starting the module. 2.5.3 phionctrl module stop Stops a specific module. If a module was not blocked, then it will be restarted by the control daemon. Fig. 2–12 Example for phionctrl module stop output [root@ash:~]# phionctrl module stop dns [2005-10-06 14:23 CEST] [-root shell-] [root@ash:~]# phionctrl module show dns server mc DNS down numProc=0 numFD=0 mem=0kB [2005-10-06 14:23 CEST] [-root shell-] [root@ash:~]# phionctrl module show dns server mc DNS up numProc=2 numFD=14 mem=1916kB In the example shown in figure 2–12, the DNS server was stopped. Due to the fact that it has not been blocked, the control daemon restarts the software module a few seconds later. 2.5.4 phionctrl module restart Restarts a specified software module. 16 Barracuda NG Firewall - Command Line Interface Guide 2.5.5 phionctrl module block Blocks a specified software module. If a software module is blocked, the corresponding services will not be restarted by the control daemon. Fig. 2–13 Example for phionctrl module block output [root@ash:~]# phionctrl module block dns [2005-10-06 14:30 CEST] [-root shell-] [root@ash:~]# phionctrl module show dns server mc DNS block numProc=0 numFD=0 mem=0kB [2005-10-06 14:30 CEST] [-root shell-] [root@ash:~]# phionctrl module show dns server mc DNS block numProc=0 numFD=0 mem=0kB [2005-10-06 14:30 CEST] [-root shell-] [root@ash:~]# phionctrl module start dns [2005-10-06 14:31 CEST] [-root shell-] [root@ash:~]# phionctrl module show dns server mc DNS up numProc=2 numFD=14 mem=2072kB As shown in figure 2–13, blocked modules must be restarted manually by entering phionctrl module start (see 2.5.2 phionctrl module start, Page 16). 2.6 phionctrl ip Manages the IP addresses on a box. 2.6.1 phionctrl ip show Similar to the command phionctrl route show (see 2.2.1 phionctrl route show, Page 10), this shows all active IP addresses and the active routing tables on a box. Fig. 2–14 Example for phionctrl ip show output [root@ash:~]# phionctrl ip show ---------- Active IPs --------------10.0.10.10/8 eth0:mip0 tap1 UP 00-0e-0c-4e-48-62 10.0.10.11/0 eth0:mc UP 00-0e-0c-4e-48-62 127.0.0.1/8 lo:loop UP 00-00-00-00-00-00 127.0.1.1/8 tap0:fw UP fe-fd-00-00-00-00 127.0.2.1/8 tap1 UP fe-fd-00-00-00-00 127.0.3.1/8 tap2:vpnpers UP fe-fd-00-00-00-00 169.254.1.11/0 tap2:aux2 UP fe-fd-00-00-00-00 ---------- Active Routing Tables ---vpnlocal 0 up device 10.0.10.208/4 metric 0 table vpnlocal foreign Name= dev tap1 src 0.0.0.0 main 0 up gateway 172.16.16.0/8 dev eth0 src 10.0.10.10 metric 0 table main Name=arztest up device 127.0.1.0/8 dev tap0 metric 0 table main foreign Name= up device 127.0.3.0/8 dev tap2 metric 0 table main foreign Name= up device 127.0.2.0/8 dev tap1 metric 0 table main foreign Name= up gateway 172.16.10.0/8 dev eth0 src 10.0.10.10 metric 0 table main Name=172-1 up device 10.0.10.0/8 dev eth0 metric 0 table main foreign Name=boxnet via 10.0.10.196 src 127.0.1.1 src 127.0.3.1 src 127.0.2.1 via 10.0.10.22 src 10.0.10.10 default 0 up gateway 0.0.0.0/32 dev eth0 via 10.0.10.1 src 10.0.10.10 metric 0 table default Name=boxdev phionctrl 17 2.6.2 phionctrl ip add Adds a new IP address to a system. The corresponding interface is configured via the network. Otherwise, if no corresponding network can be found, the IP address will be added to the loopback interface. In the example below, the IP addresses 10.0.10.12 and 10.0.2.200 are added to the 10.0.10.0/8 network. As can be seen in figure 2–15, the IP address 10.0.10.12 binds to the eth0 interface because the 10.0.10.0/8 network belongs to this interface. The address 10.0.2.200 binds to the loopback interface because no corresponding network can be found. Fig. 2–15 Example for phionctrl ip add output [2005-10-06 14:53 CEST] [-root shell-] [root@ash:~]# phionctrl ip add 10.0.10.12 [2005-10-06 14:55 CEST] [-root shell-] [root@ash:~]# phionctrl ip add 10.0.2.200 [2005-10-06 14:55 CEST] [-root shell-] [root@ash:~]# phionctrl ip show ---------- Active IPs --------------10.0.10.10/8 eth0:mip0 tap1 UP 00-0e-0c-4e-48-62 10.0.10.11/0 eth0:mc UP 00-0e-0c-4e-48-62 10.0.10.12/0 eth0: UP 00-0e-0c-4e-48-62 10.0.2.200/0 lo: UP 00-00-00-00-00-00 127.0.0.1/8 lo:loop UP 00-00-00-00-00-00 127.0.1.1/8 tap0:fw UP fe-fd-00-00-00-00 127.0.2.1/8 tap1 UP fe-fd-00-00-00-00 127.0.3.1/8 tap2:vpnpers UP fe-fd-00-00-00-00 169.254.1.11/0 tap2:aux2 UP fe-fd-00-00-00-00 2.6.3 phionctrl ip del Deletes a specified IP address from the system. Fig. 2–16 Example for phionctrl ip del output [2005-10-06 14:55 CEST] [-root shell-] [root@ash:~]# phionctrl ip del 10.0.10.12 [2005-10-06 14:58 CEST] [-root shell-] [root@ash:~]# phionctrl ip del 10.0.2.200 [2005-10-06 14:59 CEST] [-root shell-] [root@ash:~]# phionctrl ip show ---------- Active IPs --------------10.0.10.10/8 eth0:mip0 tap1 UP 00-0e-0c-4e-48-62 10.0.10.11/0 eth0:mc UP 00-0e-0c-4e-48-62 127.0.0.1/8 lo:loop UP 00-00-00-00-00-00 127.0.1.1/8 tap0:fw UP fe-fd-00-00-00-00 127.0.2.1/8 tap1 UP fe-fd-00-00-00-00 127.0.3.1/8 tap2:vpnpers UP fe-fd-00-00-00-00 169.254.1.11/0 tap2:aux2 UP fe-fd-00-00-00-00 2.7 phionctrl arp Used for detection of duplicate IP addresses on a network. phionctrl arp makes use of the ARP protocol in order to assign an IP address to the physical address of a network card (MAC address). If a duplicate IP address is found, an error message related to the corresponding MAC address will be displayed. 18 Barracuda NG Firewall - Command Line Interface Guide 2.7.1 phionctrl arp <IP address> Probes a specified IP address. Fig. 2–17 Example for phionctrl arp IP output [root@ash:~]# phionctrl arp 10.0.10.10 no duplicate IPs detected 2.7.2 phionctrl arp all Probes all configured IP addresses on a system for duplicate IP addresses in the network. Fig. 2–18 Example for phionctrl arp all output [root@ash:~]# phionctrl arp all probe 10.0.10.10 probe 10.0.10.11 --------------no duplicate IPs detected 2.8 phionctrl tell The ARP protocol is a passive protocol, e.g. a network interface will remain silent until an ARP request is received. phionctrl may be used to send unsolicited ARP requests. Fig. 2–19 Example for phionctrl tell IP output [root@ash:~]# phionctrl tell 10.0.10.10 send unsolicited ARP for 10.0.10.10 to 10.0.10.255 on eth0 2.9 phionctrl proc show Displays detailed information on a box’s processes. Listed data may vary by process as it depends on the information a process delivers. 2.9.1 phionctrl proc show all Lists all running processes. phionctrl 19 2.9.2 phionctrl proc show name Shows all details of the corresponding process (e.g. phionctrl proc show controld). Fig. 2–20 Example for phionctrl proc show name output [root@ash:~]# phionctrl proc show controld 6 processes: 2640 2664 2675 10225 751 3306 35 file descriptors 2312 kB Memory 2120 kb shared Memory Open Files: /dev/null /proc/2907/statm Listening Sockets: 10.0.10.10:801 Established Sockets: 10.0.10.10:801->10.0.4.136:1729 UDP Sockets: 0.0.0.0:32946 10.0.10.10:32944 10.0.10.10:801 127.0.0.1:32965 127.0.0.1:32971 2.9.3 phionctrl proc show pid Displays information only concerning the specified process. In case a daemon has opened more than one process, this command assists in detecting the resources that are used by these processes. The pid option will respectively return information from the queried process. Fig. 2–21 Example for phionctrl tell pid output [root@ash:~]# phionctrl proc show 2495 1 processes: 2495 13 file descriptors 276 kB Memory 1224 kb shared Memory Open Files: /dev/acpf /dev/null 2.10 phionctrl hostid Displays all license relevant IDs of the used hardware components, such as CPU ID, MAC addresses and motherboard ID. This information is necessary for licensing purposes. Fig. 2–22 Example for phionctrl hostid output [root@ash:~]# phionctrl hostid CPU-0000-0F29-003B-7040-0000-0000 BBS-BZTP44000670 MAC-00:0e:0c:4e:48:62 MAC-00:0e:0c:4e:48:63 20 Barracuda NG Firewall - Command Line Interface Guide 2.11 phionctrl lic Needed for licensing. Prints the license information to the standard output. 2.11.1 phionctrl lic If entered without a module name, all licenses will be shown. Fig. 2–23 Example for phionctrl lic output [root@ash:~]# phionctrl lic -----------------------------------------license = 000000AT001-MC-ES-131 hostid = MAC-00:0e:0c:4e:48:62 module = base-mces Private key is set grace = 2 policy = 0 version = 1 password is NOT present Issuer_C = AT Issuer_CN = Sales Issuer_L = Innsbruck Issuer_O = Barracuda Networks Issuer_OU = Barracuda Networks Inc. Issuer_ST = Tirol Subject_C = AT Subject_CN = Barracuda Networks Inc. Subject_L = Innsbruck Subject_O = Cuda Subject_unstructuredName = grace:2 id:MAC-00:0e:0c:4e:48:62 lic:000000AT001-MC-ES-131 mod:base-MCES protip:0 sub:firewall, dns,rangeconf,dstatm,qstatm,mevent,mastervpn,pki grace = 2 id = MAC-00:0e:0c:4e:48:62 lic = 000000AT001-MC-ES-131 mod = base-MCES protip = 0 sub = firewall,dns,rangeconf,dstatm,qstatm,mevent,mastervpn,pki Costumer: Country = AT State = Organisation = Cuda Org. Unit = Name = Cuda Email = Issuer: Country = AT State = Tirol Organisation = Cuda Org. Unit = Cuda Name = Sales 2.11.2 phionctrl lic modules If a module name is entered, the specific license is displayed. A license is often issued for multiple services. If this is the case, then the scope of modules covered by the license will be displayed in the subsection. phionctrl 21 2.12 phionctrl session Displays all management sessions on a box. 2.12.1 phionctrl session show Shows all open sessions on a box and lists all pids necessary to kill a specific session. Fig. 2–24 Example for phionctrl session show output [root@ash:~]# phionctrl session show 14520 box_login 10.0.4.136 2334 0 root 22085 mc 10.0.4.20 1181 1181 root 22104 master 10.0.4.20 1179 1022 root 23638 ngadmin 10.0.4.20 948 947 root 751 ngadmin 10.0.4.136 7731 7730 root 2.12.2 phionctrl session kill pid Kills a management session. 2.13 phionctrl usage Measures CPU usage of all processes. The output is shown as milliseconds (e.g. usage measurement for 10 s). Fig. 2–25 Example for phionctrl usage output. Following parameters are displayed: process name, sum of usage, user time and system usage. [root@ash:~]# phionctrl usage 10 bash 0 bdflush 0 bdns 0 boxconfigd 0 bsyslogd 0 bsyslogd_slgd 0 controld 100 crond 0 cstatd 30 distd 0 eventd 0 fwauthd 0 gpm 0 init 0 keventd 0 khubd 0 kjournald 10 ksoftirqd_CPU0 0 kswapd 0 kupdated 0 logd 0 logwrapd 0 masterd 0 mc_Conf 30 mc_DNS 0 mc_Event 0 22 0 0 0 0 0 0 30 0 10 0 0 0 0 0 0 0 0 0 0 0 0 0 0 30 0 0 0 0 0 0 0 0 70 0 20 0 0 0 0 0 0 0 10 0 0 0 0 0 0 0 0 0 Barracuda NG Firewall - Command Line Interface Guide 2.13.1 phionctrl usage show-time r Shows all process names and splits them into single PIDs. This is a very helpful option for detecting a process blocking the system. Fig. 2–26 Example for phionctrl usage r output [root@ash:~]# phionctrl usage 10 r arztest.sh@25562 0 bash@25874 0 bdflush@5 0 bdns@18855 0 boxconfigd@2749 0 boxconfigd@4062 0 bsyslogd@2833 0 bsyslogd_slgd@2987 0 controld@10225 90 controld@2640 0 controld@2664 0 controld@2675 0 controld@751 0 controld@8261 10 crond@25559 0 crond@402 0 cstatd@2828 0 cstatd@2986 40 distd@2876 0 eventd@2935 0 eventd@3025 0 eventd@3026 0 eventd@3027 0 fwauthd@2495 0 gpm@2667 0 init@1 0 keventd@2 0 khubd@7 0 kjournald@12 10 kjournald@84 0 kjournald@85 10 ksoftirqd_CPU0@3 0 kswapd@4 0 kupdated@6 0 logd@2958 0 logwrapd@2982 0 mc_Conf@19876 0 mc_Conf@19884 0 0 0 0 0 0 0 0 0 70 0 0 0 0 10 0 0 0 10 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 20 0 0 0 0 0 0 0 0 30 0 0 0 0 0 0 0 0 0 0 10 0 10 0 0 0 0 0 0 0 2.14 phionctrl box 2.14.1 phionctrl box show Shows all Barracuda NG Firewall specific processes, but not the operating system processes. This tool is very important for checking whether all daemons are up and running. Fig. 2–27 Example for phionctrl box show output [root@ash:~]# phionctrl box show bdns bdns up listen=0 numProc=1 numFD=4 mem=1044kB boxconfig boxconfigd up listen=0 numProc=2 numFD=9 mem=1728kB boxfw trans7 up listen=0 numProc=13 numFD=87 mem=48796kB bsyslog bsyslogd up listen=0 numProc=1 numFD=4 mem=1016kB control controld up listen=0 numProc=6 numFD=34 mem=4412kB cstat cstatd up listen=0 numProc=2 numFD=19 mem=1600kB phionctrl 23 2.14.2 phionctrl box start Starts a daemon if it is down. Keep in mind that the control daemon as well will start daemons which are down and not blocked. Fig. 2–28 Example for phionctrl box start output [root@ash:~]# phionctrl box show bdns bdns up listen=0 numProc=1 numFD=4 mem=1044kB boxconfig boxconfigd up listen=0 numProc=2 numFD=9 mem=1728kB boxfw trans7 up listen=0 numProc=13 numFD=87 mem=48796kB bsyslog bsyslogd up listen=0 numProc=1 numFD=4 mem=1016kB control controld up listen=0 numProc=6 numFD=34 mem=4424kB cstat cstatd block listen=0 numProc=0 numFD=0 mem=0kB dist distd up listen=0 numProc=1 numFD=5 mem=916kB [2005-10-06 17:39 CEST] [-root shell-] [root@ash:~]# phionctrl box start cstat [2005-10-06 17:40 CEST] [-root shell-] [root@ash:~]# phionctrl box show bdns bdns up listen=0 numProc=1 numFD=4 mem=1044kB boxconfig boxconfigd up listen=0 numProc=2 numFD=9 mem=1728kB boxfw trans7 up listen=0 numProc=13 numFD=87 mem=48796kB bsyslog bsyslogd up listen=0 numProc=1 numFD=4 mem=1016kB control controld up listen=0 numProc=6 numFD=34 mem=4424kB cstat cstatd up listen=0 numProc=2 numFD=9 mem=1872kB dist distd up listen=0 numProc=1 numFD=5 mem=916kB 2.14.3 phionctrl box stop Stops a daemon. If a service is blocked, it may be unblocked using the stop command. The control daemon will then start it again after a few seconds. 2.14.4 phionctrl box restart Restarts a daemon. 2.14.5 phionctrl box block Blocks a daemon. The daemon will not be restarted by the control daemon until it is unblocked. 24 Barracuda NG Firewall - Command Line Interface Guide 2.15 phionctrl versions Displays all modules on a box including their version numbers. Fig. 2–29 Example for phionctrl versions output [root@ash:~]# phionctrl versions kernel 2.4.28-2.4.2.8 bdns R-2.4_V-2.4.2.5 Nov 3 2004 12:32:00 boxconfig R-2.4_V-2.4.2.22 May 18 2005 18:12:49 boxfw R-2.4_V-2.4.2.109 Apr 29 2005 10:50:28 bsyslog R-2.4_V-2.4.2.7 Jun 28 2005 11:15:00 control R-2.4_V-2.4.2.14 Aug 4 2005 09:39:23 cstat R-2.4_V-2.4.1.7 Aug 24 2005 19:27:54 dist R-2.4_V-2.4.1.9 Oct 27 2004 13:53:56 event R-2.4_V-2.4.1.37 May 12 2005 15:05:18 log R-2.4_V-2.4.1.7 Apr 14 2005 16:58:41 logwrap R-2.4_V-2.4.1.5 Nov 5 2004 11:33:57 phibs R-2.4_V-2.4.1.15 Apr 11 2005 09:45:36 psyslog R-2.4_V-2.4.1.4 Oct 20 2004 11:11:37 qstat R-2.4_V-2.4.1.6 Apr 14 2005 16:51:54 dstats R-2.4_V-2.4.1.6 Nov 4 2004 09:20:03 logstor 2.2.4-6 Aug 05 2003 08:11:13 cfirewall R-2.4_V-2.4.1.1 Mar 4 2005 12:12:17 clusterconf R-2.4_V-2.4.2.22 May 18 2005 18:12:49 mevent R-2.4_V-2.4.1.37 May 12 2005 15:05:18 proxy R-2.4_V-2.4.1.6 May 1 2005 18:41:04 qstatm R-2.4_V-2.4.1.6 Apr 14 2005 16:51:54 rangeconf R-2.4_V-2.4.2.22 May 18 2005 18:12:49 snmp R-2.4_V-2.4.2.2 Jun 6 2005 12:48:49 spamfilter 2.4.2-4 Jun 01 2005 12:06:30 sshprx R-2.4_V-2.4.2.2 Apr 11 2005 15:15:00 vpnserver R-2.4_V-2.4.2.131 Aug 22 2005 21:03:48 2.16 phionctrl Stops or starts the Barracuda NG Firewall subsystem, the operating system that is, and furthermore all servers and services. 2.16.1 phionctrl startup Starts the box, reads all configuration files from the directory /opt/phion/config/active and starts the daemons and services. 2.16.2 phionctrl shutdown Shuts down all services and the operating system. phionctrl 25 26 Barracuda NG Firewall - Command Line Interface Guide Chapter 3 acpfctrl General ................................................................................... 28 acpfctrl start ............................................................................ 28 acpfctrl stop............................................................................. 28 acpfctrl parp show................................................................... 29 acpfctrl noping show ............................................................... 29 acpfctrl bacl show ................................................................... 29 acpfctrl lproto show ................................................................. 29 acpfctrl realm show ................................................................. 29 acpfctrl device ......................................................................... 30 acpfctrl sync ............................................................................ 30 acpfctrl plugdebug................................................................... 30 acpfctrl param ......................................................................... 31 acpfctrl version ........................................................................ 31 acpfctrl 27 3.1 General acpfctrl is a tool for viewing the settings of the firewall (acpf) module within the command line interface.. Though the acpfctrl command provides manipulation options, we advice you to make configuration changes within the NG Admin user interface only. DO NOT use the modification options without assistance by Barracuda Networks support to avoid serious misconfiguration of a Barracuda NG Firewall system. For a list of all options of acpfctrl, simply type: [root@mybox:~] acpfctrl Fig. 3–30 List of all acpfctrl options [root@winix:/var/phion/logs]# acpfctrl use: acpfctrl [start stop parp noping srvport bacl lproto realm cache nattable fwd param suspend resume version] start Load module, caches and rules stop Save caches and unload module parp Proxy ARP control noping Non local ECHO handled IPs bacl Box access control list lproto Locally handled IP Protocols realm Device realm assignment device Show device information sync TF sync control tune Tuning control cache Cache control fwd passthru forwarding srvport Service to Port Mapping nattable plugin nattables plugdebug plugin debuglevel sip SIP call table arp ARP request interface matching term Terminate slots param ACPF parameters clone Clone packet to other host via UDP report set packet drop reporting suspend seconds put to sleep for n seconds resume acpf wakeup call version ACPF Version 3.2 acpfctrl start Starts the acpf module and imports the forwarding firewall rules and access cache. 3.3 acpfctrl stop Stops the acpf module. The firewall is stopped, rules and access cache are saved. The acpf is a kernel module and thus can only be stopped if the dependent services are stopped as well. Before using acpfctrl stop, block the firewall services on the server and on the box using: phionctrl module block firewall and phionctrl box block boxfw. 28 Barracuda NG Firewall - Command Line Interface Guide 3.4 acpfctrl parp show The parp parameter is related to the proxy ARPs of the firewall, while the parameter show displays all proxy ARP entries of the firewall. Fig. 3–31 Example for acpfctrl parp show [root@ash:/var/phion/logs]# acpfctrl parp show noext 10.0.10.208/4 MVPN 3.5 acpfctrl noping show The noping parameter concerns the ping-behavior of IP addresses. The show parameter displays all IP addresses that are set to noping. 3.6 acpfctrl bacl show Shows all box access control list entries. 3.7 acpfctrl lproto show Displays the locally handled IP protocols. 3.8 acpfctrl realm show Displays the device realm assignment. The following realms are available: • • • • • • • • acpfctrl 29 0 1 2 3 4 5 6 7 unknown intern dmz extern persvpn fwvpn iptun usr 3.9 acpfctrl device Displays information about all devices for debugging. Fig. 3–32 Example 1 for acpfctrl device lo index=1 realm=unknown port=unknown base=00000000 irq=0 dma=0 state=START PRESENT mtu=16436 type=LOOPBACK mac=00:00:00:00:00:00 brd=00:00:00:00:00:00 num_mc=0 flags=UP LOOPBACK features=SG/IO NO-CSUM HIGH-DMA FRAGLIST refcnt=134 watchtime=0 dead=0 last_rx=0.05 secs last_tx=358203 secs rx=16772068/633577594 tx=16772068/633577594 rx-err=0 tx-err=0 colls=0 Fig. 3–33 Example 2for acpfctrl device Interface Index number, realm Port, base, IRQ, DMA Device state Set MTU size for the device; Type of device (loopback, broadcast, ether) MAC-Address of the device, brd, num_mc Flags Device features Number of references, watchtime, dead Last Received Packets (transfer time in sec), Last sent packets (transfer time in sec) Received=Packets/Bytes, Sent=Packets/Bytes, erroneous packets received, erroneous packets sent, colls 3.10 acpfctrl sync acpfctrl sync show prints the current firewall’s sync state to the standard output. Fig. 3–34 Example for acpfctrl sync show output [root@chefix:~]# acpfctrl sync show Mode: ACTIVE Cookie: a832a400 SyncNumber: 4898 Server: main0 Partner: DOWN Source: 10.0.6.2:689 Destination: 10.0.6.46:689 KeyIndex: 0 Key1: 00000000000000000000000000000000 Key2: 00000000000000000000000000000000 A Unsynced 7 A Synced 0 A Unsynced Close 0 A Synced Close 0 P Synced 0 P Synced Close 0 A SIP Unsynced 0 A SIP Synced 0 A SIP Unsynced Close 0 A SIP Synced Close 0 P SIP Synced 0 P SIP Synced Close 0 3.11 acpfctrl plugdebug Dumps debug messages of a specified plugin to the box firewall log. • • 30 acpfctrl plugdebug <plugin name> 1 sets dumping of debug messages to on. acpfctrl plugdebug <plugin name> 0 sets dumping of debug messages to off. Barracuda NG Firewall - Command Line Interface Guide The output of the plugdebug parameter is only of interest to Barracuda Networks support. 3.12 acpfctrl param Displays the parameter settings of the firewall. 3.13 acpfctrl version Displays the version string of the acpf. Fig. 3–35 acpfctrl version [root@chefix:~]# acpfctrl version PhionVersionString R-3.2_V-3.2.0.1 Nov acpfctrl 31 8 2005 18:53:18 32 Barracuda NG Firewall - Command Line Interface Guide Chapter 4 Operative Structure Static Data .............................................................................. 34 Dynamic Data.......................................................................... 34 Operative Structure 33 4.1 Static Data The operative data of a NGFW box resides in /opt/phion/. It is not recommended to change anything within this directory. The full configuration of a NGFW box is held in /opt/phion/config/active. These files may be changed manually only by Barracuda Networks support engineers or by specially trained system engineers. 4.2 Dynamic Data Log files and statistics data are located in /var/phion/. This directory has the following substructure: 4.2.1 /var/phion/logs All log files are held here. They can be viewed using any editor. DO NOT write to this directory. DO NOT rename this directory. DO NOT put any files into this directory. Any manual action might result in malfunction of the log GUI. 4.2.2 /var/phion/stat Root directory of the statistics data structure. The data files are BDB files in binary format. They can be viewed using the showstat utility (/opt/phion/bin) (12.2 showbdb, page 62). DO NOT change anything within this directory. 4.2.3 /var/phion/logcache This directory contains the log access files (*.laf). These are BDB files, suitable for fast access to large log files. Intervention via the command line is generally not intended or recommended on the operative layer. Use showbdb (12.2.4 showbdb -l, page 63) to view the content of .laf files. 34 Barracuda NG Firewall - Command Line Interface Guide Chapter 5 Configuration Files and Tree General ................................................................................... 36 Configuration Files .................................................................. 36 Configuration Tree .................................................................. 38 Configuration Files and Tree 35 5.1 General The directory stucture of NGFW systems aims at breakdown into organisational units. Accordingly, you will find the configuration files arranged in administrative subunits within subdirectories of the configuration root directory. The configuration tree of NG Admin starts in /opt/phion/config/configroot. Figure 5–36 is a graphical replication of this file structure in a tree view format. The Open configuration column displays the file structure as it is in the directory /opt/phion/config/configroot. The Name column shows the corresponding naming used in the GUI configuration tree (figure 5–36 - left column). Fig. 5–36 NG Admin configuration tree 5.2 Configuration Files This chapter describes configuration files and their tasks assigned to specific directories within the system. 36 Barracuda NG Firewall - Command Line Interface Guide 5.2.1 /opt/phion/config/configroot This directory contains all configuration files being subject to constant change. Barracuda NG Admin retrieves the box configuration from this directory. A fresh Barracuda NG Firewall installation will contain empty configuration files in this directory. If any service is added, the template files are copied from the corresponding directory /opt/phion/modules/directory/box. 5.2.2 /opt/phion/config/active This directory contains the active box configuration. 5.2.3 /opt/phion/modules/box This directory contains all default configuration default (confdef) files and needed scripts for activation (Chapter 9 Activation Scripts, page 51) and verification (Chapter 7 Verification Scripts, page 45). The directory itself is split into several subdirectories. Usually, a corresponding subdirectory exists for each configuration file within:/opt/phion/config/configroot.Most subdirectories contain a bin directory with a verify and activate script or a binary or both. Fig. 5–37 Example for the directory structure [root@Bart:~]# cd /opt/phion/config/configroot/ [2005-10-07 16:57 UTC] [-root shell-] [-powered by Cuda IT-] [root@Bart:/opt/phion/config/configroot]# ll total 176 drwxr-xr-x 9 root root 4096 Oct 7 15:40 . drwxr-xr-x 8 root root 4096 Oct 7 15:40 .. -rw-r--r-1 root root 141 Oct 5 10:57 1 -rw------1 root root 421 Oct 5 10:31 boxadm.conf -rw------1 root root 146 Oct 5 10:31 boxadm.desc -rw-r--r-1 root root 131 Oct 5 10:31 boxadm.param -rw------1 root root 196 Oct 4 13:07 box.conf -rw------1 root root 131 Oct 4 13:07 box.desc -rw------1 root root 2580 Oct 4 13:07 boxkey.conf -rw------1 root root 137 Oct 4 13:07 boxkey.desc -rw-r--r-1 root root 131 Oct 4 13:07 boxkey.param -rw------1 root root 1490 Oct 4 13:07 boxnet.conf -rw------1 root root 135 Oct 4 13:07 boxnet.desc -rw-r--r-1 root root 131 Oct 4 13:07 boxnet.param drwxr-xr-x 2 root root 4096 Oct 4 13:07 boxother -rw------1 root root 139 Oct 4 13:07 boxother.desc -rw-r--r-1 root root 131 Oct 4 13:07 boxother.param -rw-r--r-1 root root 131 Oct 4 13:07 box.param -rw------1 root root 857 Oct 4 13:07 boxqos.conf -rw------1 root root 165 Oct 4 13:07 boxqos.desc -rw-r--r-1 root root 131 Oct 4 13:07 boxqos.param drwxr-xr-x 2 root root 4096 Oct 4 13:07 boxsrv -rw------1 root root 142 Oct 4 13:07 boxsrv.desc -rw-r--r-1 root root 131 Oct 4 13:07 boxsrv.param -rw------1 root root 217 Oct 4 13:07 boxsys.conf -rw------1 root root 142 Oct 4 13:07 boxsys.desc -rw-r--r-1 root root 131 Oct 4 13:07 boxsys.param drwxr-xr-x 2 root root 4096 Oct 7 15:07 data -rw------1 root root 106 Oct 4 13:07 data.desc -rw-r--r-1 root root 131 Oct 4 13:07 data.param drwxr-xr-x 3 root root 4096 Oct 4 13:07 gdata -rw------1 root root 107 Oct 4 13:07 gdata.desc -rw-r--r-1 root root 131 Oct 4 13:07 gdata.param drwxr-xr-x 3 root root 4096 Oct 4 04:51 LostAndFound -rw------1 root root 3352 Oct 4 13:07 masterpub.conf -rw------1 root root 167 Oct 4 13:07 masterpub.desc -rw-r--r-1 root root 131 Oct 4 13:07 masterpub.param drwxr-xr-x 2 root root 4096 Oct 4 04:51 pool -rw------1 root root 1227 Oct 4 13:07 roles.conf 1 root root 164 Oct 4 13:07 roles.desc -rw------- Configuration Files and Tree 37 The example in figure 5–37 shows the /opt/phion/config/configroot directory containing the boxnet.conf file. Within the /opt/phion/modules/box directory, the boxnet subdirectory contains the .conf files and links to the activation and verification files, within subdirectory bin, that is. The /opt/phion/modules/box directory contains further two important subdirectories: • • /opt/phion/modules/box/boxother (corresponding to Box Misc.) /opt/phion/modules/box/boxsrv (corresponding to Box Services - figure 5–36, page 36) Generally, all box services such as Box Firewall, Eventing and Statistics are located in boxsrv, while further configuration items such as authentication schemes, bootloader, or box licenses are located in boxother. The confdef file determines the look of a window within Barracuda NG Admin (input fields, labels, buttons). 5.2.4 /opt/phion/modules/box/boxother Configuration is read from here as soon as a node is opened within the Box Misc. branch. 5.2.5 /opt/phion/modules/box/boxsrv Configuration is read from here as soon as a node is opened within the Box Services branch 5.3 Configuration Tree A configuration tree holding all necessary information to keep a box up and running resides on every Barracuda NGFW system. The tree roots at /opt/phion/config and contains several subdirectories. Each subdirectory has its own special function. Manual changes within these directories might be seriously dangerous to the system’s health. If it is absolutely necessary to perform any manual changes, these should only be done by an expert. 5.3.1 "Active" Directory Contains the active configuration used by the currently running services. Two important files, boxadmin.conf and boxnet.conf, are sitting within this directory. 38 Barracuda NG Firewall - Command Line Interface Guide 5.3.2 "Configroot" Directory Directory for the GUI’s management configuration tree. 5.3.3 "History" Directory Contains DB files for internal use only. Absolutely not to be changed manually. Do not make any changes to this directory. 5.3.4 "Sessions" Directory Whenever a session is opened, all session based information is stored here. 5.3.5 "Update" Directory All files needed for synching with another box (e.g. HA) are stored here. Configuration Files and Tree 39 40 Barracuda NG Firewall - Command Line Interface Guide Chapter 6 Network Activation General ................................................................................... 42 Networking Layer .................................................................... 42 Configuration Files .................................................................. 42 Network Activation 41 6.1 General This chapter is about activating a new network configuration using the console. • • 6.2 Which tools are needed? Which files can be changed? Networking Layer The networking layer is installed along with the etc_box package. It is called phionetc_box because almost all relevant files are located within the /etc/phion directory. The main purpose of this package is controlling every part of the system that communicates using the network. Along with the software modules, there are further packages, such as openssh or ntp, that retrieve their configuration from NGFW scripts and whose modules are started by these scripts. 6.3 Configuration Files There are three configuration files used to control the network behavior of the system: • • • 6.3.1 6.3.1 Options 6.3.2 boxadm.conf, page 43 6.3.3 boxnet.conf, page 43 Options This is the only configuration file not managed by Barracuda NG Admin. Fig. 6–38 Template of the options file ######## ## Systemwide NGFW options ## File is sourced by several start scripts ## # start networking at all? BOX_NETWORK="Y" # Number of retries to bring up all devices, sometimes useful for token ring devices NET_RETRY=0 # should the phion subsystem be started ? PHION_START="Y" #for some historical reason: should the NetDB subsystem be started? #CAUTION: Activate only if you know very well what you are doing. NETDB_START="N" # for advanced Servers START_ORA="N" #Y/N start ORACLE on BOOT START_ADABAS="N" #Y/N start ADABAS on BOOT Table 6–3 Parameters in the options file 42 Parameter Options Default Description BOX_NETWORK Y/N Y If set to "N", nothing will happen when trying to start networking. NET_RETRY numerical 0 Number of allowed retries for network connectionestablishment. PHION_START Y/N Y If set to "N", the Barracuda operative layer will not start. Use this if a box is running without proprietary Barracuda NGFW software. NETDB_START Y/N N Only of use when using a box with NetDB database on it. Barracuda NG Firewall - Command Line Interface Guide 6.3.2 boxadm.conf Contains parameters related to services that don’t require a network restart in order to get activated (e.g. RSA key, ACL etc). Additionally, this file contains information about box services (box tuning). Fig. 6–39 Example for boxadmin.conf content ACLLIST[] = DNSSERVER[] = 212.86.0.4 DOMAIN = phion.qa INACTFLAG = n NTPEVT = 0 RPASSWD = $1$someMD5encryption SPASSWD = $1$someMD5encryption STARTNTP = y SYNC = y TMASTER[] = 10.0.0.33 TZONE = Europe/Vienna UTC = y [rootalias_mbr] AUTHLEVEL = 0 NAME = mbr PASSWD = $1$goelga$9ysSYZ4X.qpJqn8k0KpsC. PUBKEY = -----BEGIN RSA PUBLIC KEY----MIGJAoGBAOV2ltrcBSa4mV3S0ni6P6K9RTIWHG3aMoolsAQNEsImcReUqhdc+QQ2 kCHHHJ5HWpBc0ePF6P+nrv0Pgw3SZHcV3mA7L1JeHs2XEqvndnVlvA+uNhnbMVBD o/yUhq4Vwdgmu3OiUlspJhgRnCapRIvSAmoARNPWoGA/tw8HgJdTAgMBAAE= -----END RSA PUBLIC KEY----[rootalias_pmr] AUTHLEVEL = 0 NAME = pmr PASSWD = $1$djoanl$BPvPXlA87meC4.JVNljcP. PUBKEY = -----BEGIN RSA PUBLIC KEY----MIGJAoGBAM2dG/OHlJCdIASXy4DmOWb23u4SJr2q/BzalLDM31m9kc/zsKAbZasU Yevr86H7yZ2qqtILywycsCYKuYATZe37QlO30vyh+VCphgumwbfVXl9fkAeJUrzM XGNRUWpwiDCl4vEpGl0b5gHka/XjKdsM4RmXAE6k+6+5sAuIrZqPAgMBAAE= -----END RSA PUBLIC KEY----- 6.3.3 boxnet.conf Contains information about dealing with network connections, such as host name, network devices, IP addresses and routing information. Fig. 6–40 Example for boxnet.conf content HOSTNAME = mybox RAM = n VIP = [addnet_212er] BIND = y CRIT = n DEV = eth1 IP = 212.86.0.112 MASK = 8 NAME = 212er PING = y [addroute_default1] DEST = 212.86.0.100 DEV = FOREIGN = y MASK = 32 NAME = default1 PREF = 100 SRC = TARGET = 0.0.0.0 TYPE = gw [addroute_default2] DEST = 212.86.1.100 DEV = FOREIGN = y MASK = 32 NAME = default2 PREF = 200 Network Activation 43 FOREIGN = y MASK = 8 NAME = dev2 PREF = SRC = TARGET = 212.86.1.0 TYPE = dev [addroute_devnet] DEST = 10.0.0.101 DEV = FOREIGN = y MASK = 8 NAME = devnet PREF = SRC = TARGET = 10.0.3.0 TYPE = gw [boxnet] DEV = eth0 IP = 10.0.0.181 MASK = 8 [cards_10realtek] BLTIN = module MOD = 8139too.o NAME = 10realtek NUM = 2 TYPE = eth 44 Barracuda NG Firewall - Command Line Interface Guide Chapter 7 Verification Scripts /etc/phion/bin/verify ................................................................. 46 Verification Scripts 45 7.1 /etc/phion/bin/verify This script checks the logical consistency of the boxnet.conf and boxadm.conf files. It’s also used by the GUI during network configuration checks. Fig. 7–41 Example for a consistency check [root@winix:/var/phion/logs]# verify /opt/phion/config/configroot/boxnet.conf SUCCESS: No obvious critical consistency errors in box configuration Info: [0140000] º boxnet(k,ARGS): box reaches MC@10.0.6.3 from 10.0.6.31 via »10.0.6.0/8 dev eth0 src 10.0.6.31 realm internal« Info: [0140000] º boxnet(k,ARGS): box reaches MC@10.0.6.2 from 10.0.6.31 via »10.0.6.0/8 dev eth0 src 10.0.6.31 realm internal« Info: [0140000] º boxnet(k,ARGS): box reaches server NTP@10.0.6.96 from 10.0.6.31 via »10.0.6.0/8 dev eth0 src 10.0.6.31 realm internal« Info: [0140000] º boxnet(k,ARGS): box reaches server DNS@10.0.6.90 from all via »10.0.6.0/8 dev eth0 src 10.0.6.31 realm internal« Info: [0140000] º boxnet(k,ARGS): logical check passed [ local networks ] |name |addr |dev |ping |mgmt |ntpd ---------------------------------------------------------------net0 |loop |127.0.0.1/8 |lo |y |y |n net1 |fw |127.0.1.1/8 |tap0 |y |n |n net2 |vpn |127.0.2.1/8 |tap1 |y |n |n net3 |vpnpers |127.0.3.1/8 |tap2 |y |n |n net4 |mip0 |10.0.6.31/8 |eth0 |y |y |y net5 |ospfVP |10.0.151.33/8 |eth1 |y |n |n [ management IPs ] |addr -------------------------ip0 |127.0.0.1/0 ip1 |10.0.6.31/0 [ servers ] 1: mw primary box: secondary box: 1st server ip: 2nd server ip: 2: winix [*] linix 172.31.1.33 10.0.60.33 10.0.6.31 10.0.6.32 pingable=yes pingable=yes winix [*] -- none -172.31.1.33 172.31.70.2 10.0.60.32 10.0.61.32 172.16.0.1 172.16.1.1 10.0.6.33 10.0.150.33 10.0.6.31 win0 primary box: secondary box: 1st server ip: 2nd server ip: add server ip: add server ip: add server ip: add server ip: add server ip: add server ip: pingable=yes pingable=yes pingable=yes pingable=yes pingable=yes pingable=yes pingable=yes pingable=yes [ IP tunnels ] |status |name |mode |dev/src addr | local <-> remote --------------------------------------------------------------------------------------tu0 |ready |tun1 |gre |10.0.150.33/8 | 10.0.151.33 <-> 10.0.151.8 [ routing structure ] Type indicators: 'u' .... unicast, 'Ø' .... unreachable, '¤' .... stop lookup State indicators: '®' .... ready, '×' .... pending, '¿' .... dynamic, '¬' .... inactive 1: u from 0.0.0.0/32 prio 0 table local 2: u from 0.0.0.0/32 prio 3 table vpnlocal 3: u from 0.0.0.0/32 prio 10000 table main | i 46 Barracuda NG Firewall - Command Line Interface Guide Chapter 8 Activate Manual Configuration Change Using the Activate Command. 48 Processes Invoked by NG Admin on Configuration Change .. 48 Activate 47 8.1 Manual Configuration Change Using the Activate Command Always backup the running files in /opt/phion/config/active before changing the configuration manually. In order to alter the box configuration manually, perform the following steps: • • • • • • Edit the files in /opt/phion/config/configroot. Choose the service or module you wish to alter, e.g. in this case edit the boxnet.conf file. Change to the directory /opt/phion/modules/box/{configname}/bin, e.g.: /opt/phion/modules/box/boxnet/bin. Run the verify command with passing the altered config file in /opt/phion/configroot as parameter, e.g. /verify /opt/phion/configroot/ boxnet.conf) If the verify command runs through successfully copy the altered config file into the active directory of the box (/opt/phion/config/active). Change into the directory /opt/phion/modules/box/{configname}/bin and execute the activate command. The service will now be activated. The graphical view of NG Admin is bound to the configuration parameters within the configroot directory and not to the parameters within the active directory. Thus, the manually made changes within /opt/phion/config/active will not be visible in Barracuda NG Admin. To avoid subsequent configuration inconsistencies, perform the manual changes within NG Admin as well. Otherwise, the manual changes will be overwritten the next time configuration changes are done using NG Admin. 8.2 Processes Invoked by NG Admin on Configuration Change The Verify and Activate commands are used as well when making configuration changes thru Barracuda NG Admin. Below is a brief description of the processes and file system changes invoked by Barracuda NG Admin on configuration change. The procedure is explained by means of adding an IP address to the network. 1.) Connect Connect to a box and open the config tree. Fig. 8–42 Configuration tree 48 Barracuda NG Firewall - Command Line Interface Guide 2.) Choose Network Choose the Network entry within the configuration tree. This opens the Network register. The appearance of this register is defined within /opt/phion/modules/box/boxnet/boxnet.confdef. Changes within this file are reflected into the GUI. 3.) Manipulate 4.) Lock Lock the register and add e.g. a network (FURTHER NETWORKS) using the Insert... button. Fig. 8–43 Register Network in manipulation mode 5.) Send Changes Send the changes using the Send Changes button and activate the manipulated network configuration by clicking Activate. Answer the query whether to keep the locks. 6.) Verify Open the control page ( ) and enter the Box register. Clicking the Verify new button triggers execution of the verify script (Chapter 7 Verification Scripts, page 45). Fig. 8–44 Register Box with verified configuration file Activate 49 50 Barracuda NG Firewall - Command Line Interface Guide Chapter 9 Activation Scripts General ................................................................................... 52 /etc/rc.d/init.d/phion ................................................................. 52 Activation Scripts 51 9.1 General Two scripts are intended to be started using the command line: • • /etc/rc.d/init.d/phion (9.2 /etc/rc.d/init.d/phion) /etc/phion/bin/verify (7.1 /etc/phion/bin/verify, page 46) All other scripts should not be started at the command line interface. They are automatically started by the two scripts mentioned above. 9.2 /etc/rc.d/init.d/phion 9.2.1 phion start This is about the network layer becoming invoked on system boot. It initiates the following actions: • • • • • • 9.2.2 Sets necessary and optional syscontrols (from boxadm.conf) Looks for /opt/phion/update/box.par and activates its configuration if such a file is available Activates boxadm.conf (Does not change passwords) Looks for /opt/phion/INSTALL, changes passwords if such a directory exists and deletes the directory Checks boxnet.conf and activates it as far as possible, even if the configuration is not consistent Starts the operative layer (if not forbidden by /etc/phion/options) phion stop This is about the way the phion subsystem and the network are stopped at system shutdown. The command initiates the following actions: • • • 9.2.3 Stops operative layer Disables all network devices Disables all IP addresses and routes phion recover phion recover has the same functionality as phion start. It is obsolete and exists only for downward compatibility reasons. 52 Barracuda NG Firewall - Command Line Interface Guide 9.2.4 phion restart Re-initializes the operative layer by executing the following actions: • • • • 9.2.5 Stops operative layer Performs a consistency check (boxnet.conf); process will be stopped if configuration is inconsistent Activates boxadm.conf Starts operative layer (if not forbidden by /etc/phion/options) phion adm_refresh Activates the boxadm.conf entries only. This action can be performed without interfering with the operative layer. Note that executing this may change the passwords. Activation Scripts 53 54 Barracuda NG Firewall - Command Line Interface Guide Chapter 10 Dynamic Network Start and Stop Scripts General ................................................................................... 56 xDSL Connections .................................................................. 56 DHCP Connections ................................................................. 56 ISDN Connections................................................................... 57 UMTS Connections ................................................................. 57 Dynamic Network Start and Stop Scripts 55 10.1 General Dynamic network connections may be stopped and started directly through the command line interface. 10.2 xDSL Connections • Start all xDSL connections: /etc/phion/bin/openxdsl start • Stop all xDSL connections: /etc/phion/bin/wipexdsl • Start an explicit xDSL connection: /etc/phion/bin/openxdsl start <linkname> • Stop an explicit xDSL connection: /etc/phion/bin/wipexdsl stop <linkname> 10.3 DHCP Connections • Start all DHCP connections: /etc/phion/bin/openxdhcp start • Stop all DHCP connections: /etc/phion/bin/wipexdhcp • Start an explicit DHCP connection: /etc/phion/bin/openxdhcp start <linkname> • Stop an explicit DHCP connection: /etc/phion/bin/wipexdhcp stop <linkname> 56 Barracuda NG Firewall - Command Line Interface Guide 10.4 ISDN Connections • Start ISDN connections: /etc/phion/bin/openisdn start • Stop ISDN connections: /etc/phion/bin/wipeisdn 10.5 UMTS Connections • Start UMTS connection: /etc/phion/bin/startumts start • Stop UMTS connection: /etc/phion/bin/wipeumts Dynamic Network Start and Stop Scripts 57 58 Barracuda NG Firewall - Command Line Interface Guide Chapter 11 mailclt General ................................................................................... 60 mailclt options ......................................................................... 60 mailclt 59 11.1 General mailclt is an internal mail client used to send emails from the command line. It may be utilized for distribution of reports generated by specific services (e.g transmission of reports generated by the Revision Control System, see Chapter CC RCS in the NG Firewall Administrator’s Guide) and is residing within /opt/phion/bin. 11.2 mailclt options Enter mailclt at the command line interface in order to obtain a list of options: Fig. 11–45 mailclt output [root@bart:/opt/phion/bin]# mailclt mailclt -f sender -r recipient -s subject -m mailserver-IP TEXT -a attachment -t textfile Options used with mailclt expect the following input: Table 11–4 List of mailclt options Option Expected Input -f Sender’s email address -r Recipient’s email address -s Email’s subject -m Mail server’s IP address without option IP address, but NOT the MX record of a reachable SMTP server, as DNS resolution is not supported by mailclt -a path and name of an arbitrary file attachment -t Email’s text content Fig. 11–46 Example for mailclt usage [root@bart:/]# /opt/phion/bin/mailclt -f sender@domain.com -r recipient@domain.com -s "Mail Subject" -m 10.0.8.112 "This ist the e-mail content" -a /home/username/image.gif -t /home/username/file.txt 60 Barracuda NG Firewall - Command Line Interface Guide Chapter 12 showbdb General ................................................................................... 62 showbdb.................................................................................. 62 showbdb 61 12.1 General This tool is needed for viewing binary BDB (Berkeley Data Base) files not viewable using a standard editor such as vi or emacs. Within the Barracuda NG Firewall system several files, such as statistics data, are written in binary format. However, these files do not have a .BDB file name extension. The synopsis is: showbdb [-options] <filename> The filename is the name of the Berkeley DB file. If no options are set, it is assumed that key and data part of the DB file are in textual (not binary) format. 12.2 showbdb 12.2.1 showbdb -c Checks statistics files for corruption. 12.2.2 showbdb -h Prints the help text showing all the options that may be used. Fig. 12–47 List of all showbdb options [root@chucky:/etc/rc.d/init.d]# showbdb missing parameter Usage: showbdb [options] filename Options: -c ... check statistic file for corruption -h ... help -i ... print statistic file infos (header) -l ... dump LAF file to stdout -s ... dump statistic file to stdout -v ... print version information Parameters: filename ... statistic file (path) 12.2.3 showbdb -i Prints the Berkeley DB header of a statistics file to the standard output. Fig. 12–48 Example for showbdb -i output [root@chucky:/var/phion/stat/0/box/HG-S10]# showbdb -i /var/phion/stat/0/box/HG-S10/cpu.tot.1131577200 magic=100 baseBin=0 dataType=abs unitId=FLOAT date=2005 11 10 00:00:00 62 Barracuda NG Firewall - Command Line Interface Guide 12.2.4 showbdb -l Use the -l option when querying input files with the suffix LAF (Log Access File). These files provide an index to log files in BDB format and their pointers can be used for accelerated access. They are found at /var/phion/logcache. Fig. 12–49 Example for showbdb -l output [root@chucky:/var/phion/logcache]# pwd /var/phion/logcache [2005-11-14 11:41 CET] [-root shell-] [-powered by Cuda IT-] [root@chucky:/var/phion/logcache]# showbdb -l box_Control_daemon.laf DumpLogFile box_Control_daemon.laf header: minTS=2005 11 10 11:33:34 maxTS=2005 11 16 12:09:55 [00|1132139351] 2005 11 16 12:09:11 flg=0 ndx=00 off=000000000 len=000006742 eCnt=089 000 000 000 000 003 005 042 039 [01|1131618814] 2005 11 10 11:33:34 flg=2 ndx=01 off=000006742 ’len=000058836 eCnt=744 000 000 000 001 000 020 382 341 [01|1131706234] 2005 11 11 11:50:34 flg=2 ndx=01 off=000065578 12.2.5 showbdb -s Interprets the given file as a statistics file and translates the binary format into a human readable format. Fig. 12–50 Example for showbdb -s output [root@chucky:/var/phion/stat/0/box/HG-S10]# showbdb -s cpu.tot.1131577200 magic=100 baseBin=0 dataType=abs unitId=FLOAT date=2005 11 10 00:00:00 k:41620 v:212 k:41630 v:195 k:41640 v:181 k:41650 v:175 k:41660 v:147 k:41670 v:132 k:41680 v:112 k:41690 v:101 k:41700 v:84 k:41710 v:79 k:41850 v:239 k:41860 v:229 k:41870 v:194 k:41880 v:164 k:41890 v:138 k:41900 v:117 k:41910 v:100 k:41920 v:83 k:41930 v:78 k:41940 v:66 k:41950 v:55 k:41960 v:46 k:41970 v:40 k:41980 v:34 k:41990 v:28 k:42000 v:23 k:42010 v:20 k:42020 v:17 k:42030 v:14 12.2.6 showbdb -v Displays the version info for the given file. showbdb 63 64 Barracuda NG Firewall - Command Line Interface Guide Chapter 13 statcheck General ................................................................................... 66 statcheck ................................................................................. 66 statcheck 65 13.1 General The statcheck tool parses a directory tree and checks whether the files are uncorrupted statistics files. The tool’s output can be viewed in the log file via Barracuda NG Admin. Logs > Reports > Statistics > statcheck. The synopsis is: statcheck [-options] <path> <path> is the path to statistics tree (by default /var/phion/stat). If no option is specified, option -c is assumed. 13.2 statcheck 13.2.1 statcheck -h Prints the help text showing all possible options. Fig. 13–51 List of all statcheck options [root@chucky:/var/phion/stat/]# statcheck -h Usage: statcheck [options] [path] Options: -c ... check statistic file for corruption -d ... enable verbose (debug) logging (log each data entry) -h ... help -m ... move corrupt statistic files to '/var/phion/lost+found/stat' -r ... remove corrupt statistic files' -s ... switch weekly top stat files to monthly, if neccessary -t ... enable verbose logging -v ... print version information Parameters: [path] ... statistic file path 13.2.2 statcheck -c Checks statistics files for corruption. 13.2.3 statcheck -d Enables the creation of verbose debug logging, e.g. logging for each data entry will be generated. 13.2.4 statcheck -m Moves corrupted statistics files to /var/phion/lost+found/stat. 66 Barracuda NG Firewall - Command Line Interface Guide 13.2.5 statcheck -r Removes corrupted statistic files. 13.2.6 statcheck -s Switches top statistics files from weekly to monthly interval if neccessary. 13.2.7 statcheck -t Enables tracing. For example, investigated and uncorrupted files will have log files generated. 13.2.8 statcheck -v Displays the version info for the given file. statcheck 67 68 Barracuda NG Firewall - Command Line Interface Guide Chapter 14 admintcpdump General ................................................................................... 70 Options.................................................................................... 70 admintcpdump 69 14.1 General The NGFW OS includes the Linux command line tool tcpdump (see 19.3 tcpdump, page 93). Due to security reasons, usage of this command is restricted to root users. admintcpdump enables you to start tcpdump without having root administration rights. admintcpdump is installed in /opt/phion/bin. 14.1.1 Requirements The admin profile needs to refer to an administrative role where the following Connection Tracing parameters are enabled: • • • Toggle Trace View Trace Output Change Settings (Global Settings > Administrative Roles > Administrative Role Configuration > Roles <rolename> > Firewall Module > Firewall Permissions > Set… > Connection Tracing) In order to edit the administrative role, see within the Barracuda NG Firewall Administrator’s Guide Barracuda Control Center > CC Configuration Service > Global Settings > Administrative Roles. In order to edit the admin profile, see Barracuda NG Firewall Administrator’s Guide Barracuda Control Center > CC Admins. 14.2 Options Fig. 14–52 Syntax for admintcpdump usage Usage: admintcpdump [-adeflnNOpqRStuvxX] [-c count] [ -F file ] [ -i interface ] [ -r file ] [ -s snaplen ] [ -T type ] [ -U user ] [ -w file ] [ expression ] The options for admintcpdump are the same as for tcpdump. See 19.3 tcpdump, page 93, or enter man tcpdump on the command line. 70 Barracuda NG Firewall - Command Line Interface Guide Chapter 15 Maintaining Recipient Databases General ................................................................................... 72 Creating Recipient Database .................................................. 72 Adding E-Mail Addresses........................................................ 72 Viewing Databases ................................................................. 72 Configuring Utilization of Recipient Database......................... 73 Updating Recipient Database ................................................. 73 Backing Up Recipient Databases............................................ 73 Maintaining Recipient Databases 71 15.1 General A recipient database may be used for verifying incoming emails against valid email addresses stored in a database. If a recipient database has been specified for specific or for all configured mail domains, each email will be checked against this database before being forwarded any further. Messages intended for recipients not contained in the database will be discarded. 15.2 Creating Recipient Database By default, a recipient database is expected to /var/phion/spool/mgw/<servername_servicename>/. It could also be created in a folder below this one. reside within the folder Use the setbdb command in order to create a recipient database within the default path and insert a user into it: Fig. 15–53 Creating a recipient database [root@bart:/var/phion/spool/mgw/bartSRV/bMGW]# setbdb "<user1@domain.com>" "" ./my_recipient.db 15.3 Adding E-Mail Addresses The setbdb command is used to add another user to the recipient database: Fig. 15–54 Adding an address to a recipient database [root@bart:/var/phion/spool/mgw/bartSRV/bMGW]# setbdb "<user2@domain.com>" "" ./my_recipient.db 15.4 Viewing Databases The showbdb command (Chapter 12 showbdb, page 61) displays the content of the recipient database: Fig. 15–55 Viewing the content of a recipient database [root@bart:/var/phion/spool/mgw/bartSRV/bMGW]# showbdb my_recipient.db <user1@domain.com> <user2@domain.com> 72 Barracuda NG Firewall - Command Line Interface Guide 15.5 Configuring Utilization of Recipient Database The parameter settings for (Default) Recipient DB, Recipient Lookup and Recipients (see Chapter Mail Gateway within the Barracuda NG Firewall Administrator’s Guide) in the graphical administration tool Barracuda NG Admin determine whether a recipient database is used for address validation or not. Fig. 15–56 Specifying usage of a recipient database located in the default path If the recipient database is located in a folder below the default path, it is necessary to specify the Recipient DB parameter as follows: my_folder/my_recipient.db. If specifying a recipient database, make sure that its content is configured properly. If no email address is specified within, then all email recipients are blocked. 15.6 Updating Recipient Database Best practice suggests frequent renewals of the recipient database. As database entries cannot be deleted singly, it is necessary to delete the recipient database followed by creating it anew containing all up-to-date email addresses. You may use scripts to perform this task. Make up your mind regarding the administration of recipient databases before introducing them. Address maintenance is also possible through Barracuda NG Admin. Email addresses entered through the setdbd command will not be recognized by Barracuda NG Admin, though. You should, in order to avoid email troubles, either maintain a database through Barracuda NG Admin (see Chapter Mail Gateway in the Barracuda NG Firewall Administrator’s Guide) or another one at the command line interface, but not both. 15.7 Backing Up Recipient Databases Recipient databases are not included within box backup (PAR) files created with the phionar tool. For emergency restore, it is recommended to hold an up-to-date copy of the database in a safe place. Maintaining Recipient Databases 73 74 Barracuda NG Firewall - Command Line Interface Guide Chapter 16 conftool General ................................................................................... 76 conftool commands ................................................................. 76 conftool options [rmc] for Barracuda NG Control Centers ...... 76 Examples ................................................................................ 77 conftool 75 16.1 General This tool can be used to rebuild database files or a whole configuration tree manually, either from a box configuration or from a Barracuda NG Control Center range configuration. This might eventually be necessary if a configuration tree shows inconsistent entries, e.g. if Mail Gateway configuration objects suddenly appear in the firewall configuration section or similar effects are encountered. This is usually caused by invalid, corrupt or inconsistent database files. The synopses are: • For a box configuration tree rebuild: conftool b [cmd] • For a CC range configuration tree rebuild: conftool [rmc] [server_service] [cmd] 16.2 conftool commands 16.2.1 conftool b help Displays all options available with conftool. 16.2.2 conftool b rebuild_cache Performs a complete rebuild of the tree cache. 16.2.3 conftool b rebuild_db Performs a complete rebuild of the database files. 16.3 conftool options [rmc] for Barracuda NG Control Centers 16.3.1 conftool r Performs a complete rebuild of the range-configuration tree. 76 Barracuda NG Firewall - Command Line Interface Guide 16.3.2 conftool m Performs a complete rebuild of the multi-cluster-configuration tree. 16.3.3 conftool c Performs a complete rebuild of the single-cluster-configuration tree. 16.4 Examples • conftool b rebuild_db Rebuilds the box configuration database files on the executing box. • conftool r main_config rebuild_cache Rebuilds the range-configuration-tree cache of the config service on main server. Take into consideration that the main server must be a Barracuda NG Control Center server while the config service needs to be a rangeconf service. • conftool r - activate nosend norule Rebuilds the reference database (noderef.db) but does not update firewall rulesets (norule). The nosend argument prevents the sending of config updates to the Barracuda NG Firewall gateways. Only execute this command if recommended by Barracuda Networks support. conftool 77 78 Barracuda NG Firewall - Command Line Interface Guide Chapter 17 phionar - Archive Tool General ................................................................................... 80 phionar .................................................................................... 80 Creating PAR Files for Backup ............................................... 84 Emergency Restore ................................................................ 85 phionar - Archive Tool 79 17.1 General phionar is a powerful tool used for backing up and saving the configuration of a box. The file extension for phionar-created files is *.par (Portable ARchive). To get a list of all options for phionar, simply type: [root@mybox:~] phionar Fig. 17–57 List of all phionar options [root@winix:~]# phionar phionar [arxsdv] archive files operations a ... add files to archive c ... create new archive and add files r ... remove files from archive x ... extract files from archive k ... add pathnames to be removed (think first !) options d ... deep (recursively descend into directories) l ... keep links p ... preserve uids v ... verbose output e ... abort on error Since Barracuda NG Firewall 4.2.11, it is possible to create PARs bigger than 2 GB and to add files bigger than 2 GB to PARs. See the descriptions of phionar cdlp2 and phionar a2 below. 17.2 phionar 17.2.1 phionar a Adds specific files to an already existing archive. Asterisks (*) can be used for adding all files in a directory to an archive. Fig. 17–58 Example for phionar a usage [root@winix:/tmp]# phionar a myarchive.par /opt/phion/config/configroot/box.conf In the example shown above in figure 17–58, box.conf located within /opt/phion/config/configroot is added to an already existing archive file named myarchive.par within the /tmp folder. 17.2.2 phionar a2 Works like phionar a, but is used for adding files to an archive file that has a size of 2 GB or more. The files added may also have less or more than 2 GB. Fig. 17–59 Example for phionar a2 usage [root@winix:/tmp]# phionar a2 archiveFileWith2GBOrMore.par fileToAddWith2GB [root@winix:/tmp]# phionar a2 archiveFileWith2GBOrMore.par smallFile 80 Barracuda NG Firewall - Command Line Interface Guide 17.2.3 phionar c Creates a new archive. Using the c option without further commands creates an empty archive. Use asterisks (*) to add all files in a directory to an archive, otherwise specify the file names individually. Combine phionar c with phionar d for stepping into every directory recursively starting at the current level; also see 17.2.9 phionar d, page 84 regarding this, and phionar l for the preservation of links; described in 17.2.10 phionar l, page 84. Fig. 17–60 Example for phionar c, phionar cd and phionar cdl output [root@winix:/tmp]# phionar cdl myarchive.par /opt/phion/config/ configroot/* [2005-11-15 13:23 CET] [-root shell-] [-powered by Cuda IT-] [root@winix:/tmp]# phionar s myarchive.par f 143 100644 0 0 /opt/phion/config/configroot/1 d 0 040755 0 0 /opt/phion/config/configroot/LostAndFound d 0 040755 0 0 /opt/phion/config/configroot/LostAndFound GCSID_procpar_cmdline_522 ... f 136 100600 0 0 /opt/phion/config/configroot/boxnet.desc f 129 100644 0 0 /opt/phion/config/configroot/boxnet.param d 0 040755 0 0 /opt/phion/config/configroot/boxother f 139 100600 0 0 /opt/phion/config/configroot/boxother.desc f 129 100644 0 0 /opt/phion/config/configroot/boxother.param In the example above, figure 17–60, all files located within /opt/phion/config/configroot and the subfolders are added to an archive file named myarchive.par in the /tmp directory. 17.2.4 phionar cdlp2 Works like phionar c, but is used for creating an archive that may reach a size of 2GB or exceed this size. Fig. 17–61 Example for phionar cdlp2 [root@winix:/tmp]# phionar cdlp2 bigArchive.par fileList 17.2.5 phionar r Removes files from an existing archive. The archive will not be extracted. Fig. 17–62 Example for phionar r output [2005-11-14 16:24 CET] [-root shell-] [-powered by Cuda IT-] [root@winix:/tmp]# phionar s myarchive.par f 13 100644 0 0 ./boxadm.param f 19 100644 0 0 ./boxkey.conf f 14 100644 0 0 ./boxkey.param f 4 100600 0 0 ./myarchive.par d 0 040755 0 0 ./tmp f 12 100644 0 0 ./tmp/box.desc f 13 100644 0 0 ./tmp/boxadm.desc f 15 100644 0 0 ./tmp/boxkey.desc [2005-11-14 16:25 CET] [-root shell-] [-powered by Cuda IT-] [root@winix:/tmp]# phionar r myarchive.par ./tmp ./tmp/* [2005-11-14 16:25 CET] [-root shell-] [-powered by Cuda IT-] [root@winix:/tmp]# phionar s myarchive.par f 13 100644 0 0 ./boxadm.param f 19 100644 0 0 ./boxkey.conf f 14 100644 0 0 ./boxkey.param f 4 100600 0 0 ./myarchive.par phionar - Archive Tool 81 It is important to use the very same name that is shown with the s option to delete a file in the archive. phionar r myarchive.par tmp/* will not remove the files in the archive. Use phionar r myarchive.par ./tmp/* instead. 82 Barracuda NG Firewall - Command Line Interface Guide 17.2.6 phionar x Extracts single files from an existing archive. The file inside the archive will not be deleted. Fig. 17–63 Example for phionar x output [root@winix:/tmp]# ls -l -rw------1 root root 359 Nov 14 16:31 myarchive.par [2005-11-14 16:32 CET] [-root shell-] [-powered by Cuda IT-] [root@winix:/tmp]# phionar s myarchive.par f 13 100644 0 0 ./boxadm.param f 19 100644 0 0 ./boxkey.conf f 14 100644 0 0 ./boxkey.param d 0 040755 0 0 ./tmp f 12 100644 0 0 ./tmp/box.desc f 13 100644 0 0 ./tmp/boxadm.desc f 15 100644 0 0 ./tmp/boxkey.desc [2005-11-14 16:32 CET] [-root shell-] [-powered by Cuda IT-] [root@winix:/tmp]# phionar x myarchive.par box* [2005-11-14 16:33 CET] [-root shell-] [-powered by Cuda IT-] [root@winix:/tmp]# ls -l -rw-r--r-1 root root 13 Nov 14 16:33 boxadm.param -rw-r--r-1 root root 19 Nov 14 16:33 boxkey.conf -rw-r--r-1 root root 14 Nov 14 16:33 boxkey.param -rw------1 root root 359 Nov 14 16:31 myarchive.par In the example shown in figure 17–63 all files beginning with box* have been extracted from the archive. When extracting files from an archive, the leading ./ (dotslash) may be ignored. If the archive contains that specific file, it will be extracted. 17.2.7 phionar k Marks files or whole folders in an archive as deleted. In the example shown in figure 17–64, the file ./boxadm.param has been marked as deleted with an upper case ’R’. Use this option with great care. Extracting a file which has been marked as deleted will delete a file of the same name in the target directory. When deleting a file with the option k make use of the file name syntax exactly a shown in the output with phionar s including a leading ./. Fig. 17–64 Example for phionar k output [2005-11-15 07:56 CET] [-root shell-] [-powered by Cuda IT-] [root@winix:/tmp]# phionar s myarchive.par f 13 100644 0 0 ./boxadm.param f 19 100644 0 0 ./boxkey.conf f 14 100644 0 0 ./boxkey.param d 0 040755 0 0 ./tmp f 11 100644 0 0 ./tmp/box.desc f 12 100644 0 0 ./tmp/boxadm.desc f 16 100644 0 0 ./tmp/boxkey.desc [2005-11-15 07:58 CET] [-root shell-] [-powered by Cuda IT-] [root@winix:/tmp]# phionar k myarchive.par ./boxadm.param [2005-11-15 07:59 CET] [-root shell-] [-powered by Cuda IT-] [root@winix:/tmp]# phionar s myarchive.par R 0 000000 -1 -1 ./boxadm.param f 19 100644 0 0 ./boxkey.conf f 14 100644 0 0 ./boxkey.param d 0 040755 0 0 ./tmp f 11 100644 0 0 ./tmp/box.desc f 12 100644 0 0 ./tmp/boxadm.desc f 16 100644 0 0 ./tmp/boxkey.desc phionar - Archive Tool 83 17.2.8 phionar options The following options are used in combination with the phionar c operation (17.2.3 phionar c, page 81). 17.2.9 phionar d Used for adding whole directories and subdirectories to an archive. Without this option, only files found within the top level directory will be added to the archive. 17.2.10 phionar l Preserves links. Without this option, links will be treated as regular files. 17.2.11 phionar p Preserves all user and group information. If option p is not used, then the user executing the command takes over the ownership of the packed files. 17.2.12 phionar v Verbose option for printing a log of all performed steps to the standard output. Especially if an archive does not look as expected this option is very helpful. Fig. 17–65 Example for phionar cv output [2005-11-15 09:18 CET] [-root shell-] [-powered by Cuda IT-] [root@winix:/tmp]# phionar cv myarchive.par add f 13 100644 0 0 ./boxadm.param add f 19 100644 0 0 ./boxkey.conf add f 14 100644 0 0 ./boxkey.param add d 0 040755 0 0 ./tmp add f 11 100644 0 0 ./tmp/box.desc add f 12 100644 0 0 ./tmp/boxadm.desc add f 16 100644 0 0 ./tmp/boxkey.desc 17.2.13 phionar ea Adding option e as parameter will abort action of phionar if an error occurs. 17.3 Creating PAR Files for Backup The phionar tool can be found on every Barracuda NG Firewall system. It can be used to back up configurations of single boxes or rather box configurations on a Barracuda NG Control Center (CC). A cron job can be used to makee.g. a daily backup of the configuration files. The archive files should then be stored on a separate computer. To create a complete archive of a box configuration, enter the following commands: cd /opt/phion/config/configroot/ phionar cdl /backuppath/box.par * 84 Barracuda NG Firewall - Command Line Interface Guide Below is an example for a backup script that can be used to backup the configuration of a CC. Fig. 17–66 Example for a backup script #!/bin/bash #echo #echo #echo #echo #echo "Backup-Script for Barracuda NG Firewall" "---------------------------------" "Creation of archive files" "ftp or scp -transfer onto 10.0.0.1" "---------------------------------" #LOGFILE=/tmp/backup.log #echo "Starting backup" >> ${LOGFILE} FILENAME1=/root/archive_`date +%Y_%m_%d_%H_%M`.par FILENAME2=/root/manbox_`date +%Y_%m_%d_%H_%M`.par cd /opt/phion/maintree /opt/phion/bin/phionar cdl ${FILENAME1} configroot/* history/* cd /opt/phion/config/configroot/ /opt/phion/bin/phionar cdl ${FILENAME2} * ######################### # # Example of ncftp: Note ncftp is NOT installed by default! # /usr/bin/ncftpput -DD -V -u user -p password 10.10.10.60 / ${FILENAME1} /usr/bin/ncftpput -DD -V -u user -p password 10.10.10.60 / ${FILENAME2} ######################### # # Example of scp: Note: You have to exchange your keys with the destination! # /usr/bin/scp -l user /root/${FILENAME1} 10.0.0.1:/backup/${FILENAME1} /usr/bin/scp -l user /root/${FILENAME2} 10.0.0.1:/backup/${FILENAME2} ######################### # # Garbage Collection # #rm -f ${FILENAME1} #rm -f ${FILENAME2} 17.4 Emergency Restore For safety reasons you should always store a box.par file containing the running configuration in a safe place. In case of a severe misconfiguration (e.g. the server’s online connectivity does not function properly), the following steps may help to solve the problem. 1.) Get box.par Retrieve the box.par file with the last working configuration and copy it onto a USB-Flash drive. Attach the USB-Flash drive to the affected server. 2.) Login and copy Log in as root using your password and perform the following commands: mkdir /mnt/usb modprobe usb-storage phionar - Archive Tool 85 mount /mnt/usb cp /mnt/usb/box.par /opt/phion/update/ umount /mnt/usb /etc/rc.d/init.d/phion stop /etc/rc.d/init.d/phion start If you use a SCSI or a RAID controller, the sda1 partition is probably already in use. In this case the USB-Flash drive will use another label (e.g. sdb1). With the command mount -l you can find out about the label in use. 3.) Check Check whether the system has the correct IPs and interfaces using the command ifconfig. 4.) Reconnect Connect using Barracuda NG Admin. It is also possible to restore a box using shell access ( SSH). For this, copy the box.par file to /opt/phion/update/ and enter the following command: /etc/rc.d/init.d/phion stop && /etc/rc.d/init.d/phion start Make sure the whole command is entered in one line. 86 Barracuda NG Firewall - Command Line Interface Guide Chapter 18 phionrcscleanup Overview ................................................................................. 88 How to Set Up as Cron Job.................................................... 89 phionrcscleanup 87 18.1 Overview phionrcscleanup is a tool to clean up the Revision Control System directory, by specifying a certain amount of days, months, years or a datetime. All versions stored within the RCS file being older than the calculated date given along within the time option will be erased from the file header and the file body will be truncated at the same position. There may be database files that have accidently been added to RCS. Such files will be erased from the specified directory. Though the phionrcscleanup command manipulates RCS files, Barracuda Networks recommends blocking the rangeconf service in order to avoid serious damage to the files within the RCS directories. If the Barracuda NG Control Center you want to clean up is HA synced, then you must block the boxconfig service and run the tool on both appliances. 18.1.1 Options In order to obtain a list of all phionrcscleanup options, type phionrcscleanup in the shell. Fig. 18–67 phionrcscleanup options phionrcscleanup version 1.0 Copyright (c) 2008 Barracuda Networks Inc. All rights reserved. To start the program, please use the following options: phionrcscleanup --path=<file_path | dir_path> < 1 | 2 | 3 | 4 >| --verbose | --no-check where: 1 := --date=< date yyyy.mm.dd>, 2 := --days=< days_number >, 3 := --months=< months_number >, 4 := --years= < years_number >. Table 18–5 List of phionrcscleanup options Option Description --path= path to a directory to scan for RCS-files or a specified file --date= specific date from which all older versions will be deleted -days= --months= number of days/months/years to the past from which all older versions will be deleted --years= 88 --verbose write status information to the command line --no-check do not make an integrity check of the file content before saving it to disk Barracuda NG Firewall - Command Line Interface Guide 18.2 How to Set Up as Cron Job 18.2.1 Example 1 Set up a cron job for this command line tool using Barracuda NG Admin. • • • • Login on the Control Center with the box IP address and select Advanced Configuration > System Scheduler. Select the chronology which you want to set up the job in, for example Monthly Schedule. Give a description within the Description parameter. At the position of the Command parameter, enter for example: phionrcscleanup--path=/opt/phion/ rangetree/configroot/Revision --months=6 • 18.2.2 Specify the scheduling times. Example 2 Set up a cron job using the command line: Fig. 18–68 * * * * * command to be executed - - - - | | | | | | | | | ----- Day of week (0 - 7) (Sunday=0 or 7) | | | ------- Month (1 - 12) | | --------- Day of month (1 - 31) | ----------- Hour (0 - 23) ------------- Minute (0 - 59) Fig. 18–69 Example for CC crontab -e * * 1 * * phionctrl module block rangeconf; /opt phion/bin/phionrcscleanup -- path=/opt/phion/rangetree/configroot/Revision -months=1; phionctrl module start rangeconf; Fig. 18–70 Example for HA-CC crontab -e * * 1 * * phionctrl module block rangeconf; /opt * * 1 * * phionctrl box block boxconfig; phionctrl module block rangeconf; /opt phion/bin/phionrcscleanup -- path=/opt/phion/rangetree/configroot/Revision -months=1; phionctrl module start rangeconf; phionctrl box start boxconfig; phionrcscleanup 89 18.2.3 Example 3 Place a script in one of the cron directories in /etc/cron.* to start the job daily, hourly, weekly or monthly: Fig. 18–71 Example script CC #!/bin/bash phionctrl module block rangeconf; /opt/phion/bin/phionrcscleanup --path=/opt/phion/rangetree/configroot/Revision -days=10; phionctrl module start rangeconf; Fig. 18–72 Example script HA-CC #!/bin/bash phionctrl box block boxconfig; phionctrl module block rangeconf; /opt/phion/bin/phionrcscleanup --path=/opt/phion/rangetree/configroot/Revision -days=10; phionctrl module start rangeconf; phionctrl box start boxconfig; Fig. 18–73 Example usage and output phionrcscleanup -path=/opt/phion/rangetree/configroot/Revision -days=30 --verbose phionrcscleanup version 1.0 Copyright (c) 2008 Barracuda. All rights reserved. Processing file: opt/phion/rangetree/configroot/Revision/0/RCS/range.conf,v Opening file for reading... OK Retrieving information from file... Ok Parsing file... OK Checking file integrity... OK Save file to disk... OK Processing file: opt/phion/rangetree/configroot/Revision/0settings/RCS/fwobj.fwobj,v Opening file for reading... OK Retrieving information from file... Ok Parsing file... OK Checking file integrity... OK Save file to disk... OK ... Finished Successfully 90 Barracuda NG Firewall - Command Line Interface Guide Chapter 19 Linux Networking Commands General ................................................................................... 92 ip ............................................................................................. 92 tcpdump .................................................................................. 93 Linux Networking Commands 91 19.1 General Amongst others, the herewith listed commands are particularly suitable for finding and soluting networking problems. 19.2 ip The ip tool is a TCP/IP interface configuration and routing utility. Routing, devices, policy routing, and tunnels can be viewed and manipulated with it. Furthermore, it serves to configure network interfaces in various ways. To find out about all options of ip, simply tipe ip at the CLI. This chapter is only meant to explain the more frequently used options. For further information please refer to the man pages. 19.2.1 ip a Displays the list of used network interfaces (physical and virtual) with assigned MAC addresses. Fig. 19–74 Example for ip a output [root@winix:/]# ip a 1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/24 brd 127.0.0.255 scope host lo:loop 2: tap0: <BROADCAST,MULTICAST,NOARP,UP> mtu 1500 qdisc noqueue link/ether fe:fd:00:00:00:00 brd ff:ff:ff:ff:ff:ff inet 127.0.1.1/24 brd 127.0.1.255 scope host tap0:fw 3: tap1: <BROADCAST,MULTICAST,NOARP,UP> mtu 1500 qdisc noqueue link/ether fe:fd:00:00:00:00 brd ff:ff:ff:ff:ff:ff inet 127.0.2.1/24 brd 127.0.2.255 scope host tap1:vpn inet 169.254.1.11/32 scope global tap1:aux1 4: tap2: <BROADCAST,MULTICAST,NOARP,UP> mtu 1500 qdisc noqueue link/ether fe:fd:00:00:00:00 brd ff:ff:ff:ff:ff:ff inet 127.0.3.1/24 brd 127.0.3.255 scope host tap2:vpnpers inet 169.254.1.11/32 scope global tap2:aux2 19.2.2 ip r g <network address> Displays information related to the device bound to a specific IP address. Fig. 19–75 Example for ip r g output [root@winix:/]# ip r g 10.0.6.31 local 10.0.6.31 dev lo src 10.0.6.31 cache <local> mtu 16436 advmss 16396 19.2.3 92 ip a a <IP> dev <device name> Barracuda NG Firewall - Command Line Interface Guide Adds an IP address to a device. The IP is removed again when network or box are restarted. Fig. 19–76 Example for usage of ip a a [root@winix:/]# ip a a 10.0.4.236 dev eth2 A device route is only added if a netmask has been given together with the IP address. 19.2.4 ip a d <IP> dev <device name> Deletes an IP address from the specified device. Fig. 19–77 Example for usage of ip a d [root@winix:/]# ip a d 10.0.4.236 dev eth2 In case this command is used to remove a server or box IP address, the control daemon will take action and reintroduce the deleted IP addresses. 19.3 tcpdump tcpdump is a sniffer tool capturing packets off a network interface and interpreting them. tcpdump prints out the headers of packets on a network interface that match the Boolean expression. tcpdump understands all basic Internet protocols. It can also be used to save entire packets for later inspection. • Option -i [interface] / any Use tcpdump with -i to specify an interface name. and/or can be used to combine multiple devices. Use any alternatively to execute tcpdump on all available interfaces. • host Specify the host’s IP address. and/or can be used to combine multiple hosts. • port Specify the queried port. and/or may be used to combine multiple ports. Fig. 19–78 Syntax examples for tcpdump usage [root@winix:/]# tcpdump -i eth0 -nnn -s0 host 10.0.10.10 and host 10.0.10.11 and port 801 [root@winix:/]# tcpdump -v -vv -n -nn -s0 -i any host 192.168.10.1 and 212.72.195.42 and port 443 [root@winix:/]# tcpdump -v -vv -n -nn -s0 -i any -w /tmp/dump.cap host 192.168.10.1 and 212.72.195.42 and port 443 Linux Networking Commands 93 Refer to the man pages for further information on the available options of tcpdump. 94 Barracuda NG Firewall - Command Line Interface Guide

Baracuda CLI

Related documents

Products

Support

Baracuda CLI

Related documents

Add this document to collection(s)

Add this document to saved

Suggest us how to improve StudyLib