Current version - 0.12.0

Introduction

Mason is a tool that interactively builds a firewall using Linux' ipfwadm or ipchains firewalling. You leave mason running on the firewall machine while you are making all the kinds of connections that you want the firewall to support (and want it to block). Mason gives you a list of firewall rules that exactly allow and block those connections.

Mason was specifically designed to make it possible for anyone with the ability to generally find their way around a Linux system to build a reasonably good packet filtering firewall for any and every system under their control. It takes care of all the low level grunt work; all you need to do is follow the instructions and be able to run all the TCP/IP applications that need to be supported.

The real work of the package is done by the mason script. Its job is to convert the log entries that the Linux kernel produces into ipfwadm or ipchains commands that you can use in your own firewall.

In order to make it easy to use, I have included a rudimentary tool called mason-gui-text. It's a very simple shell that handles the setup and creation process for those that want to be led through the process. It would sincerely like to see it replaced with a nicer interface.

Features

Mason supports the following:

It accepts any mix of ipchains or ipfwadm log entries as input.
It can run on an ipfwadm or ipchains kernel.
It can spit out ipfwadm or ipchains output.
The above 3 are independent from each other; Mason can, for example, accept ipchains and ipfwadm log entries, run on an ipfwadm host, and output ipchains rules.
It will run on the firewall machine or on another machine, using the firewall's packet logs as input.
It can run as the traffic is flowing through the machine or be fed the firewall logs later.
While there are some advantages to running as root, it can be run as a non-root user.
Mason will put in a macro for dynamic IP addresses, usually for your ppp link.
It supports any kind of interface that can carry TCP/IP traffic.
It recognizes any protocol listed in /etc/services and commonly used icmp protocols.
It automatically handles setups such as cable modem or satellite where the packets go out on one interface and come back on another.
It automatically handles masquerading on the firewall and the strange rules that can require.
It allows you to put in any rules you may know you need and fills in the rest, or just builds the entire thing for you if you prefer. It can also be used after a firewall has been created to fill in some new rules or new protocols.
It automatically generalizes the firewall rules in the following ways:
- Any local IP addresses are converted to the corresponding local network. Special IP's (0.0.0.0, 127.0.0.1, 255.255.255.255) are handled appropriately. Mason can also be configured to leave addresses alone or convert them to hostnames. This gives you the ability to either treat all machines in a subnet as having equal access rights or create fine-grained access rules for individual servers, as you choose.
- Non-local IP's are converted to 0/0 (anywhere).
- Port numbers in /etc/services are converted to the corresponding service name.
- High port numbers are generalized to 1024:65535. The special port needs of ssh, traceroute, nfs, ip masquerading, irc, x, openwindows, and vnc are handled automatically.
The ack flag is set for all tcp connections except for ftp.
The TOS (type Of Service) flag is set for ftp, ftp-data, imap, irc, nntp, pop, ssh, snmp, and telnet to improve interactive performance by queuing interactive packets ahead of bulk transfer packets.
Each output line is commented to give you an idea of what it's for and allow for easy grouping via sort.
The rule policy can be changed on the fly without having to stop Mason.
Because Mason is a shell script, it can run on any system with bash and basic GNU tools (sed, awk, grep, etc.). Actually creating the firewall log entries, interactively building the firewall, or implementing the finished firewall needs requires a Linux system with appropriate kernel (generally 2.0.0 and up, including 2.1.x and 2.2.x) with firewalling and firewall packet logging built in.
Thanks to Don Howard, Mason 0.12.0 finally has a first pass at Cisco rules! And no, I don't personally think Cisco rules, but anyways. It hasn't been tested on a live router. I'd love to get feed back on how well it works - or doesn't!
A rather extensive manual/howto/notes file covers operating Mason and some issued associated with packet filtering firewalls. Good reading for anyone trying to understand some of the more advanced topics in packet filtering firewalls.

Disclaimers

I've included a copy of the disclaimers. Like all GNU programs:

This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
GNU General Public License for more details.

Unfortunately, because this program is so deeply involved in the security of the systems on which it is run, I need to add this disclaimer as well:

        This program offers an aid to creating firewall rules.  It offers
ABSOLUTELY NO intelligence in deciding what should be allowed or
disallowed.  It has ABSOLUTELY NO ability to understand your security
policy and implement it.  YOU are responsible for reviewing the rules and
massaging them to fit your needs.
        While the documentation in mason.txt attempts to provide some
general guidelines on how to use Mason, please remember:  the author has
no knowledge of what you want your firewall to do and has not tailored the
documentation or program to specially fit your needs.  If there is ever a
discrepancy between your needs and the program output or your needs and
the documentation, the program and/or documentation are _dead_ _wrong_.

Downloading and installing

Here are the various versions available for download, most recent at the top.

Mason-0.12.0 (tar, noarch rpm, src rpm). Mason now has an output option for Cisco IOS access-list rules. It still needs to run on a Linux system, but can provide output useable in a Cisco router. I don't have a Cisco router here, though; please let me know if it works or doesn't.

The Mason package now includes some additional "services" files. If you choose, Mason can automatically pull services from these files if your /etc/services file is missing them. Many thanks to the guys who wrote nmap for the nmap-services file.

Ironically, I do not suggest you use these as they are too complete; Mason may actually have trouble generalizing its rules because everything looks like a server port.
Mason-0.11.1 (tar, noarch rpm, src rpm). Ipfwadm hadn't been tested in a while; thanks to Rich who pointed out that it, ahem, didn't work at all. Two typos and it's doing much better now.
I also added TOS (Type Of Service) flag setting to this version. That, in theory, should help interactive performance on slow links with lots of bulk traffic. I also added the ability to completely block individual IP's or entire subnets.
Mason-0.11.0 (tar, noarch rpm, src rpm) Generally functional. Now it has an rpm version.
mason-0.11.0-beta3.tar.gz Mostly reorganization, but some bug fixes too. Better support for ipfwadm - it probably works now. I can't test it because I don't run 2.0 kernels at this point. Any feedback?
mason-0.11.0-beta2.tar.gz Mason has undergone serious surgery. The documentation is horribly out of date. Nonetheless, the functionality is there. Download this, open it up, run "make install", briefly edit /etc/masonrc, and run mason-gui-text. "base" rules are the permanent, approved rules that get run at boot time. "new" rules are only used during the firewall creation process. When you're happy with a "new" rule, put something like #APPROVED at the end and use the "merge rules" feature to carry them over to the "base" set. That's the 2 cent tour - let me know what you find is broken. I already know the ipfwadm stuff is lagging so far behind ipchains as to be unusable in this release - sorry. Despite that, the new stuff in Mason is well worth it...grin...
mason-0.11.0-beta1.tar.gz
mason-0.11.0-alpha1.tar.gz
mason-0.10.0-beta3.tar.gz The 0.9 and 0.10 versions handle ipchains, but as of 0.10.0-beta3, the documentation does not fully reflect the functionality.
mason-0.10.0-beta2.tar.gz
mason-0.10.0-beta1.tar.gz
mason-0.9.1-beta1.tar.gz
mason-0.9.0-beta2.tar.gz
mason-0.9.0-beta1.tar.gz
mason-0.7.9.tar.gz Versions up to and including 0.7.9 handle only ipfwadm input, kernels and output.
mason-0.7.0.tar.gz
mason-0.6.9.tar.gz
mason.0.6.0
mason.0.5.0 Versions up to and including 0.6.0 are just a single shell script.

Here's how to install:

Download the above tar file to /usr/src
cd /usr/src
tar -xzvf mason-version.tar.gz
cd mason-version
make install
Follow the quickstart section in mason.txt

Here are the individual files you can download. Note that all of the following files are included in the latest version:

COPYING The GNU General Public License.
Makefile Used in packaging and distribution.
Quickstart A step-by-step set of instructions for getting going with Mason
TODO Future goals, current bugs, etc.
baserules.sample A few possible rules for use as a starting point.
firewall The boot time script for use in /etc/rc.d/init.d.
index.html The Mason web page.
mason The actual mason script.
mason-0.11.0.spec The RPM spec file.
mason-gui-text The rudimentary interface to running Mason and building a firewall.
mason.lsm The Linux Software Map entry.
mason.txt The primary documentation for the package. Hasn't been updated to reflect the current state of the program yet. Try the Quickstart first.
masonlib A library of functions used by a number of the other files.
masonrc The main configuration file. There are intelligent defaults for all of these fields.
namecache. Mason stores learned hostname/IP pairs (in /etc/hosts format) for quicker retrieval. Automatically created and populated.
netcache. A cache of your routing table, used to group machines together. Automatically created and populated.
overview Notes to myself about the call structure.
mason_policy Allows you to change the policy for new rules on the fly. No longer used - settable in the main configuration file, change activated by sending SIGUSR1 to mason (automatically done by mason-gui-text).
ruleshell A wrapper around the rules you create that does a little housekeeping. No longer used as well. Mason-gui-text takes this role now.

Additional resources

http://www.rustcorp.com/linux/ipchains/ Linux IP firewalling chains - the latest kernel firewalling code.
http://ipmasq.cjb.net The Linux IP Masquerade Resource.
http://www.xos.nl/linux/ Experts in Open Systems; specifically, Jos Vos, one of the firewall code authors.
http://metalab.unc.edu/linux/HOWTO/HOWTO-INDEX-3.html The Linux HOWTO index, part of the:
http://metalab.unc.edu/linux/ Linux Documentation Project.
http://metalab.unc.edu/linux/HOWTO/mini/IP-Masquerade.html The IP Masquerade HOWTO. Useful information on ipfwadm and masquerading.
http://www.ecst.csuchico.edu/~dranch/LINUX/index-linux.html David Ranch's excellent networking resource. Check out the "Trinity OS" document and the IP Masquerade Howto, co-authored with Ambrose Au. Both are comprehensive documents about Linux networking - well worth reading.

Author, credits, feedback, copyright

If you have comments, suggestions, problems, ideas, flames, patches, whatever, I'd like to hear them. I'd even be interested in hearing where Mason fell short for your needs. My permanent email address is wstearns@pobox.com. The permanent web site for the software is http://www.pobox.com/~wstearns/mason/.

If you choose to send me actual mason firewall rules and choose to hide the IP addresses and/or networks for security reason, that's fine, but please replace them with something that describes their general use so I can make sense of them. For example:

cat myrules | sed -e 's@11.22.33.44/32@fw-outside@' \
                  -e 's@192.168.1.1/32@fw-inside@' \
                  -e 's@192.168.1.0/24@inside-net@' \
>myrules.mailable

- or something like that.

This page, the Mason script, and the other files in the Mason package are Copyright (c) 1998 by William Stearns wstearns@pobox.com. They are released under the GNU GPL, which is included in the package. If you did not recieve a copy of this license, please contact the author for a copy (see the top of the Mason script for contact information for the author and the Free Software Foundation).

William is also the author of buildkernel, the automated Linux kernel builder, and other minor shell scripts.

Thanks

Many thanks to Dave Stern, who has offered suggestions on how to improve Mason and helped with beta testing early versions. Maybe someday I'll tell him they were prerelease versions... :-)

A special thank you to all the authors in the Linux movement. In a small way, the code I return to the community is my way of paying back my incredible debt to the people who came before me.

As always, many thanks to my wife Debra, who has shown amazing patience with my Linux related projects. Many thanks, my love.

Last edited: 3/22/99

Best viewed with something that can show web pages... <grin>