Back to files

Bifrost Version 0.9.5

by Martin Forest
Heimdall's Limited
(Bifrost.heimdalls.com)

Distribution Site:
http://bifrost.heimdalls.com
Comments: bifrost@heimdalls.com
Cheque payments to: P.O. Box 45-021, Te Atatu Peninsula, Auckland, New Zealand.

Include, Name, company name, email@address.

---

COPYRIGHT

Copyright (C) 2002-2005 Martin Forest
NO Changes to the software are allowed.

Licensing

We are changing the licensing from version 0.9.2. Bifrost is now provided as free but restricted. License cost is currently $25US for home use, or $100US for commercial use. The cost covers the right to use Bifrost and a year of free updates/upgrades. When your license expire, you will still be able to use your current Bifrost version in full. Ones your license is expired, we offer you a discounted license renewal. You may have a second copy of the firewall for test purposes in a non production environment. Licensing is now done via Regsoft: Home use: http://www.regsoft.net/purchase.php3?productid=49643&pc=21H1w Commersial: http://www.regsoft.net/purchase.php3?productid=49643&pc=6XM25

---

DISCLAMER
Neither Heimdall's Limited or Martin Forest take any responsibility for the functionality, protection or anything at all in association with this software. The installer takes full responsibility. It is recommended to analyze iptables manually to make sure the firewall is doing as the user want.

Limitation on Liability

IN NO CASE SHALL HEIMDALL'S LIMITED OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, PUNITIVE, COVER OR CONSEQUENTIAL DAMAGES OR LOSSES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS, LOSS OF BUSINESS, BUSINESS INTERRUPTION OR THE INABILITY TO USE EQUIPMENT OR ACCESS DATA, WHETHER SUCH DAMAGES ARE BASED UPON A BREACH OF EXPRESS OR IMPLIED WARRANTIES, BREACH OF CONTRACT, NEGLIGENCE, STRICT TORT, PRODUCT LIABILITY OR ANY OTHER LEGAL THEORY. THIS IS TRUE EVEN IF HEIMDALL'S LIMITED IS ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. IN NO CASE WILL HEIMDALL'S LIMITED'S LIABILITY UNDER ANY LEGAL THEORY EXCEED THE AMOUNT OF THE LICENSE FEE ACTUALLY PAID BY YOU TO HEIMDALL'S LIMITED. THE FOREGOING LIMITATIONS WILL APPLY EVEN IF THE WARRANTIES IN THIS AGREEMENT FAIL OF THEIR ESSENTIAL PURPOSE.

---

DESCRIPTION

Bifrost is a firewall management interface to iptables.

The system is inspired by Checkpoint, Cisco PIX and Watchguard firewall management. We looked at the way Checkpoint works with source, destination, action and logging. At the same time, we work with incoming and outgoing traffic in a similar way as Watchguard and PIX Firewalls.

For change log, please see doc/ChangeLog.txt.

Version planning:
0.9.0 Fist public version. Provides most functions for the firewall but has limitations regarding icmp type filtering and log restrictions. There is a generic max nr of log entries / unit. 0.9.1 Improved GUI, Antispoofing and control of Management clients. 0.9.2 Extended functions. High availability. 0.9.3 Mangling (marking ip packages), custom commands. 0.9.4 Color coding and minor display changes

0.9.5   Routing on same interface. I.e. traffic enter and exit on the same interface. 0.9.6     Depends on feedback from users
?.?     IPSEC, QoS,  specific ISO version, Extended icmp controll, Module based upgrade... Policy based routing.

Pre requirements:
iptables >=v1.2.3
iproute2
Apache
perl

Tested OS:
Redhat 7.2
Redhat 7.3
Redhat 8.0
Mandrake 9.1

Please join the mailinglist Bifrost-fw@yahoogroups.com by sending a mail to mailto:Bifrost-fw-subscribe@yahoogroups.com The list is used to help, suggestions, feedback and much more. Please join, you do not have to have a license in order to join!

####################################

Upgrade from V0.9.0:
Backup your current configuration and fw.cgi. unzip Bifrost.n.n.n.tar
Chang dir to Bifrost.n.n.n (cd Bifrost.0.9.2) cp Bifrost/MgmtClients /etc/Bifrost/
cp Bifrost/Ha /etc/Bifrost/
cp Bifrost/Marking /etc/Bifrost/
cp Bifrost/Cust /etc/Bifrost/
mv fw.cgi /var/www/cgi-bin/
#i.e. replace the old fw.cgi with the new cgi chown apache.apache /etc/Bifrost/*
chown apache.apache /etc/Bifrost
chown apache.root /etc/sysconfig/iptables #Give apache access to the iptables boot config file. (The cgi is updating it.) chown root.apache /sbin/iptables
chown root.apache /sbin/iptables-save
#On some installations iptables and iptables-save require apache to be the group in order to execute. chmod +x /sbin/iptables
chmod +s /sbin/iptables
chmod +s /sbin/iptables-save
chmod +r /var/log/messages
chmod +s /sbin/modprobe
chmod +s /sbin/insmod

After upgrading Bifrost, connect to the firewall and click on the function "Manage Interfaces and spoofing". Bifrost will convert your interface data to the new format the first time you enter. Go back to the main page and click "Master Reset" to activate the new format. When this is done, you can start working with the firewall as per normal. You should now configure Management clients and antispoofing.

Upgrade from V0.9.1:
Backup your current configuration and fw.cgi. unzip Bifrost.n.n.n.tar
Chang dir to Bifrost.n.n.n (cd Bifrost.0.9.2) cp Bifrost/Ha /etc/Bifrost/
cp Bifrost/Marking /etc/Bifrost/
cp Bifrost/Cust* /etc/Bifrost/
mv fw.cgi /var/www/cgi-bin/
#i.e. replace the old fw.cgi with the new cgi chown apache.apache /etc/Bifrost/*
chown apache.apache /etc/Bifrost
chown apache.root /etc/sysconfig/iptables #Give apache access to the iptables boot config file. (The cgi is updating it.) chown root.apache /sbin/iptables
chown root.apache /sbin/iptables-save
#On some installations iptables and iptables-save require apache to be the group in order to execute. chmod +x /sbin/iptables
chmod +s /sbin/iptables
chmod +s /sbin/iptables-save
chmod +r /var/log/messages
chmod +s /sbin/modprobe
chmod +s /sbin/insmod

After upgrading Bifrost, connect to the firewall and click "Master Reset" to activate the new format. When this is done, you can start working with the firewall as per normal.

Upgrade from V0.9.2
Backup your current configuration and fw.cgi. unzip Bifrost.n.n.n.tar
Chang dir to Bifrost.n.n.n (cd Bifrost.0.9.2) cp Bifrost/Marking /etc/Bifrost/
cp Bifrost/Cust /etc/Bifrost/
mv fw.cgi /var/www/cgi-bin/
#i.e. replace the old fw.cgi with the new cgi chown apache.apache /etc/Bifrost/*
chown apache.apache /etc/Bifrost
(There is boot script included that can be used to start Bifrost during boot. Please see more information further down in this document.) chmod +x /var/www/cgi-bin/fw.cgi

Upgrade from V0.9.3
Backup your current configuration and fw.cgi. unzip Bifrost.n.n.n.tar
Chang dir to Bifrost.n.n.n (cd Bifrost.0.9.5) cp fw.cgi /var/www/cgi-bin/
#i.e. replace the old fw.cgi with the new cgi cp bg/marble.png /var/www/icons/
chmod +x /var/www/cgi-bin/fw.cgi

Upgrade from V0.9.4
Backup your current configuration and fw.cgi. unzip Bifrost.n.n.n.tar
Chang dir to Bifrost.n.n.n (cd Bifrost.0.9.5) cp fw.cgi /var/www/cgi-bin/
#i.e. replace the old fw.cgi with the new cgi cp bg/marble.png /var/www/icons/
chmod +x /var/www/cgi-bin/fw.cgi

New Installation:

unzip Bifrost.n.n.n.tar
mv ./Bifrost.n.n.n/Bifrost /etc/
mv ./Bifrost.n.n.n/iptables /etc/sysconfig/ mv ./Bifrost/fw.cgi /var/www/cgi-bin/
chown apache.apache /etc/Bifrost/*
chown apache.apache /etc/Bifrost
chown apache.root /etc/sysconfig/iptables #Give apache access to the iptables boot config file. (The cgi is updating it.) chown root.apache /sbin/iptables
chown root.apache /sbin/iptables-save
#On some installations iptables and iptables-save requre apache to be the group in order to execute. chmod +x /sbin/iptables
chmod +s /sbin/iptables
chmod +s /sbin/iptables-save
chmod +r /var/log/messages
chmod +s /sbin/modprobe
chmod +s /sbin/insmod
chmod +x /var/www/cgi-bin/fw.cgi
cp bg/marble.jpg /var/www/icons/ #If your icons/images directory is different, change the path and update the $body parameter in fw.cgi.

(There is boot script included that can be used to start Bifrost during boot. Please see more information further down in this document.)

Make sure Apache is the owner of the files in /etc/Bifrost/* (chown apache.apache /etc/Bifrost/* If your cgi-bin directory is located elsewhere, you need to modify fw.cgi and change $cgipath to the path of your cgi directory. fw.cgi may need the sticky bit in order to be able to work with iptables. If you know a better way of working with iptables, pleas feel free to send feedback. It is important to secure and lock down apache. It is recommended to enable authentication. It is also recommended to restrict access based on ip address. Only allow access to the cgi from ip addresses that are allowed to do changes "Management Clients". I'm not an expert on apache, feel free to send me an example of httpd.conf that is locked down. It is also important to use tcpwrappers to restrict the access further. Please see Secure_Apache.txt for more information.

###########################

Recommended reading:
It is recommended to read the HOWTO?s regarding iptables to get a general understanding about firewalling and how to use iptables. But it is not required.

###########################

Getting started:
Install the system.
Use a web browser and connect to fw.cgi (By default http://ip of firewall/cgi-bin/fw.cgi).

START with [Manage Interfaces]. Add the interfaces you have on your firewall. It is important that you click Apply. Note, before the firewall is fully activated, you may receive some error messages. When your Interfaces are configured, you have to do a [Master Reset] or you may cut yourself off from the firewall. There should be no errors when doing a Master Reset. If you manage to cut yourself off the firewall you need to do the following commands on the console, iptables -F; iptables -X; iptables -F -t nat ; iptables -X -t nat; iptables -P INPUT ACCEPT; iptables -P OUTPUT ACCEPT;

The firewall is now fully functional and you can start managing incoming and outgoing rules. It is recommended to start with adding rules for the computers you intend to use for management of the firewall. When this is done, change the LAST RULES to drop rather than allow traffic, i.e. both incoming and outgoing.

You should now configure Management Clients. The function management clients allow you to restrict what ip addresses are allowed to run the CGI (Bifrost). When configuring managment clients, make sure to add the ip address you currently are using to access Bifrost. If you don't, you will cut yourself off. If you manage to do so, you have to edit the file /etc/Bifrost/MgmtClients.dat. Delete all lines except the first two lines (the header and 127.0.0.1).

If you want to control antispoofing, you can do so via the function Manage Interfaces and spoofing. Before you enable antispoofing, you should configure antispoofing on the interfaces. There are two types of antispoofing, Internal and External. Internal indicates that the interface does not have "public" access such as internet. You should add the network address, typically 192.168.1.0/24 or equivalent and all other networks that may exist on that interface or behind a router on any of the networks behind that interface. Lets say you have 192.168.1.0/24 on interface eth1 and you have a router 192.168.2.0/24 behind it, you should then add 192.168.2.0/24 to the antispoof configuration on eth1. If you don't, the firewall will block all traffic with an ip address 192.168.2.n. External indicates that the interface is used for an external network, such as internet. Bifrost will block all ip addresses/network addresses on an external interface that has been configured on any other interface tagged as internal and antispoofing enabled. If eth1 is internal as descibed above and has antispoofing enabled, Bifrost will block all incoming traffic with a source of 192.168.1.n and 192.168.2.n on all interfaces tagged as external. It is also possible to add additional networks to be blocked on interfaces tagged as external.

The next step is to configure NAT. There are three different types of NAT, Hide (for outgoing traffic where you want to hide your home network), Source and Static/Port forwarding. Static NAT is used for incoming traffic where you for example are running a mail/web server behind the firewall.

Syntax

Never use the character ~. ~ is used for the configuration files to separate fields. If you use ~ anywhere, you will most likely start to get errors and probably a corrupt iptables with faulty rules that may expose your network. When working with the rules, it is important to use proper values for IP addresses and IP networks such as n.n.n.n or n.n.n.n/n. When working with ports, it is important to use correct port numbers 1-65535. Note, not all IP protocols support port number.

Known bugs/Security holes:
While viewing log entries, it is possible to filter based on text strings. At the moment, it is possible to send along another command. This will be changed in a future version.

Extended functions:
We are successfully using IPSEC from www.freeswan.org. There is currently no interface on Bifrost for managing freeswan. This will be added in a future version for licensed installations. We are successfully using high availability from heartbeat. From Bifrost v 0.9.2 it is now possible to manage heartbeat in an easy and simple way.

Bifrost boot script:
There is a script "bifrost" supplied from version 0.9.3. This file can/will load iptables modules and perform a master reset with Bifrost. As Bifrost is getting more complex and has more functions, we will most likely start using one or a couple of deamons that will take care of various functions. It is easy to edit the boot file and add more modules you may want loaded during boot. Copy the script "bifrost" to your init.d directory, typically /etc/rc.d/init.d or /etc/init.d. The script is located in the directory scripts. The next step is to create a link to the script in the run level directories, rc3.d, rc4.d... It is important to load bifrost and or iptables BEFORE you start the networks. To easely find where the networks start, change directory to /etc and do the command [find rc -name Snetw]. Example
[root@localhost etc]# find rc -name Snetw rc.d/rc2.d/S10network
rc.d/rc3.d/S10network
rc.d/rc4.d/S10network
rc.d/rc5.d/S10network
The output from the command indicate that your network is started under runlevel 2,3,4,5. We can also see that the networks start during the sequense number 10. Therefore, you should load bifrost and or iptables before 10. Change directory to rc.d/rc2.d and do the command "ln -s /etc/init.d/bifrost S09bifrost". And repeat the procedure for the rest of the runlevels that are starting network. Generally, you do not need to stop Bifrost when shutting down. This may be added in future versions.

Please send us feedback of what you would like to see next in Bifrost. Anything we should change/add/remove... Please send any comments to bifrost@heimdalls.com (Even if you are using an unlicensed installation.)

We have started the development of the next generation of Bifrost. The main new feature will be a distributed environment. When installed as a distributed environment, a minimum of two computers will be requred, one management server and one firewall. The managment server will perform all the configurations of the firewall. The firewall will be a very slim installation for optimum security. It will be possible to manage multiple firewalls from the management server. There will also be an option for a managed solution where multiple customers, with multiple firewalls can be managed. The final design is still not finished so if you have wishes, please send your comments to us. Stay tuned for more information.

Have fun, improve security and save time and money with Bifrost. Martin Forest
Senior Security Specialist / Director
Heimdall's Limited