A firewall is an indispensable, yet expensive, piece of every network. To overcome the cost issue, many organizations have turned to Linux firewalls, which can be implemented by purchasing or downloading a low-cost Linux distribution and installing it on commodity hardware. The drawback of a Linux firewall is that it can be somewhat difficult to manage. However, this isn’t the case with iptables when it is used with Bifrost.

By itself, iptables can certainly be difficult to manage, requiring a deep knowledge of the various command-line options and exactly how to use them. Bifrost removes this management headache by providing a Web-based GUI front end for iptables.

For Bifrost to work, you must be running at least version 1.2.3 of iptables. To check which version you are running, you can enter the following command on your Linux server:
/sbin/iptables –version

If you are running an older version, you will need to upgrade it before you can use Bifrost. You can get the latest version from the Netfilter/Iptables Web site.

You also need a utility named iproute2. My Red Hat Linux 7.2 server has it included in the distribution at /etc/iproute2.

Next, you need to have Apache installed. If you do not have it, you can get it from Apache.org. The current version is 1.3.24. A default installation will work for this product with one exception. A standard Apache installation runs as “nobody,” which would open some serious security holes because of the way Bifrost runs. As a result, I created a user named “Apache” and used the following configuration line for my Apache installation:
./configure –prefix=/usr/local/apache –server-uid=apache

Finally, you need Perl. Almost all common Linux distributions include a version of Perl that will work with Bifrost, but if you need Perl, you can get it from your Linux distribution’s CD or download it.

Obtaining and installing Bifrost
The most recent version of Bifrost is 0.9, and you can download it from the Bifrost Web site. I saved this download into /usr/src on my server and used the commands in Table A to install it.

Table A
Commands Explanation
cd /usr/src Switches to the /usr/src directory where the Bifrost archive was saved
gunzip -dc Bifrost.0.9.0.tgz | tar xvf Unzips the Bifrost archive
cd Bifrost.0.9.0 Switches to the Bifrost directory
mv Bifrost /etc/ Moves the Bifrost data files under the /etc directory
mv iptables /etc/sysconfig Moves the iptables configuration file to /etc/sysconfig
mv fw.cgi /usr/local/apache/cgi-bin Moves the Bifrost CGI program to the Apache cgi-bin directory
chown apache.root /etc/sysconfig/iptables Assigns the Apache user ownership of the iptables configuration
chmod +s /usr/local/apache/cgi-bin/fw.cgi  
chmod +s /sbin/iptables-save  
chown apache.apache /etc/Bifrost/* Assigns the Apache user ownership of the Bifrost files
chown apache.root /sbin/iptables Assigns the Apache user and the root group ownership of iptables
chmod +x /sbin/iptables  
chmod +s /sbin/iptables  
chmod +r /var/log/messages  
Bifrost installation steps

Following the steps above completes the installation of Bifrost. Make sure that Apache is started. If it isn’t, start it with the command:
/usr/local/apache/bin/apachectl start

You’ll also want to make sure Apache is set up to start at boot time.

Using Bifrost
Once you have Apache running and have completed the steps above, you can start to use Bifrost. Browse to http://server-ip-address/cgi-bin/fw.cgi. (For example, for my installation, I will browse to Figure A shows the first Bifrost page you will see.

Figure A
The Bifrost main page

This page includes information showing you the current firewall activity. By clicking on Current Traffic Status, you will get output similar to this.

This tells you that a TCP connection has been established from (my workstation) to (the server running Bifrost) on port 80. This makes sense, because I have a Web connection to Bifrost.

Bifrost also includes an Interface Statistics And Status option, which, for my installation, yields the results in Figure B.

Figure B
Interface statistics

Adding rules is easier with Bifrost than using the command line for iptables as well. By clicking on incoming rules and adding a new rule, I can set up my iptables implementation to accept both SMTP and Web traffic. Figure C shows an example.

Figure C
Adding a rule to allow Web and SMTP traffic

An overview with a list of rules is also available. Figure D shows an example from the Bifrost demo site (since my testing server only has one interface).

Figure D
An overview of the iptables rules in Bifrost

Here is a brief look at what can be done with Bifrost:

  • ·        Dropping—You can add rules that override all other rule sets to drop the traffic specified. This is useful if you want to block access to a specific range of IP addresses.
  • ·        Incoming Traffic—You can manage traffic coming from the outside to the inside of your network. This is useful when you have mail or Web servers behind your firewall.
  • ·        Outgoing Traffic—You can manage traffic leaving your network. For example, don’t want your users using IM? Add a rule to drop it by blocking the outgoing IM traffic.
  • ·        Manage Interfaces—You can add or remove interfaces on your server.
  • ·        Manage NAT—You can add NAT rules to or remove them from your server.

Bifrost can help to take the pain out of managing an iptables implementation by adding a GUI front end to the process. Keep in mind that version 0.9 is the first public release, so this product is still being developed. In addition, there is very little documentation, so you’ll need to go at it on your own for the most part. I am sure that once a final release date gets closer, a manual will be added. In the meantime, Bifrost still provides good functionality for configuring iptables.