کد:
http://articles.techrepublic.com.com/5100-10878_11-1047998.html?tag=rbxccnbtr1
A firewall is an indispensable, yet expensive, piece of every network. To overcome the cost issue, many organizations have turned to Linux firewalls, which can be implemented by purchasing or downloading a low-cost Linux distribution and installing it on commodity hardware. The drawback of a Linux firewall is that it can be somewhat difficult to manage. However, this isn't the case with iptables when it is used with Bifrost.

By itself, iptables can certainly be difficult to manage, requiring a deep knowledge of the various command-line options and exactly how to use them. Bifrost removes this management headache by providing a Web-based GUI front end for iptables.

Requirements
For Bifrost to work, you must be running at least version 1.2.3 of iptables. To check which version you are running, you can enter the following command on your Linux server:
/sbin/iptables --version

If you are running an older version, you will need to upgrade it before you can use Bifrost. You can get the latest version from the Netfilter/Iptables Web site.

You also need a utility named iproute2. My Red Hat Linux 7.2 server has it included in the distribution at /etc/iproute2.

Next, you need to have Apache installed. If you do not have it, you can get it from Apache.org. The current version is 1.3.24. A default installation will work for this product with one exception. A standard Apache installation runs as "nobody," which would open some serious security holes because of the way Bifrost runs. As a result, I created a user named "Apache" and used the following configuration line for my Apache installation:
./configure --prefix=/usr/local/apache --server-uid=apache

Finally, you need Perl. Almost all common Linux distributions include a version of Perl that will work with Bifrost, but if you need Perl, you can get it from your Linux distribution's CD or download it.

Obtaining and installing Bifrost
The most recent version of Bifrost is 0.9, and you can download it from the Bifrost Web site. I saved this download into /usr/src on my server and used the commands in Table A to install it.

Table A Commands Explanation cd /usr/src Switches to the /usr/src directory where the Bifrost archive was saved gunzip -dc Bifrost.0.9.0.tgz | tar xvf Unzips the Bifrost archive cd Bifrost.0.9.0 Switches to the Bifrost directory mv Bifrost /etc/ Moves the Bifrost data files under the /etc directory mv iptables /etc/sysconfig Moves the iptables configuration file to /etc/sysconfig mv fw.cgi /usr/local/apache/cgi-bin Moves the Bifrost CGI program to the Apache cgi-bin directory chown apache.root /etc/sysconfig/iptables Assigns the Apache user ownership of the iptables configuration chmod +s /usr/local/apache/cgi-bin/fw.cgi chmod +s /sbin/iptables-save chown apache.apache /etc/Bifrost/* Assigns the Apache user ownership of the Bifrost files chown apache.root /sbin/iptables Assigns the Apache user and the root group ownership of iptables chmod +x /sbin/iptables chmod +s /sbin/iptables chmod +r /var/log/messages
Bifrost installation steps

Following the steps above completes the installation of Bifrost. Make sure that Apache is started. If it isn't, start it with the command:
/usr/local/apache/bin/apachectl start

You'll also want to make sure Apache is set up to start at boot time.

Using Bifrost
Once you have Apache running and have completed the steps above, you can start to use Bifrost. Browse to http://server-ip-address/cgi-bin/fw.cgi. (For example, for my installation, I will browse to http://192.168.1.100/cgi-bin/fw.cgi). Figure A shows the first Bifrost page you will see.

Figure AThe Bifrost main page


This page includes information showing you the current firewall activity. By clicking on Current Traffic Status, you will get output similar to this.

This tells you that a TCP connection has been established from 172.16.1.51 (my workstation) to 172.16.1.235 (the server running Bifrost) on port 80. This makes sense, because I have a Web connection to Bifrost.

Bifrost also includes an Interface Statistics And Status option, which, for my installation, yields the results in Figure B.

Figure BInterface statistics


Adding rules is easier with Bifrost than using the command line for iptables as well. By clicking on incoming rules and adding a new rule, I can set up my iptables implementation to accept both SMTP and Web traffic. Figure C shows an example.

Figure CAdding a rule to allow Web and SMTP traffic


An overview with a list of rules is also available. Figure D shows an example from the Bifrost demo site (since my testing server only has one interface).

Figure DAn overview of the iptables rules in Bifrost


Overview
Here is a brief look at what can be done with Bifrost:

  • · Dropping—You can add rules that override all other rule sets to drop the traffic specified. This is useful if you want to block access to a specific range of IP addresses.
  • · Incoming Traffic—You can manage traffic coming from the outside to the inside of your network. This is useful when you have mail or Web servers behind your firewall.
  • · Outgoing Traffic—You can manage traffic leaving your network. For example, don’t want your users using IM? Add a rule to drop it by blocking the outgoing IM traffic.
  • · Manage Interfaces—You can add or remove interfaces on your server.
  • · Manage NAT—You can add NAT rules to or remove them from your server.


Summary
Bifrost can help to take the pain out of managing an iptables implementation by adding a GUI front end to the process. Keep in mind that version 0.9 is the first public release, so this product is still being developed. In addition, there is very little documentation, so you'll need to go at it on your own for the most part. I am sure that once a final release date gets closer, a manual will be added. In the meantime, Bifrost still provides good functionality for configuring iptables



موضوعات مشابه: