Copyright (c) 1998, 1999 William Stearns Mason Quickstart This document is designed to help people who are unfamiliar with Mason build a firewall using it. A novice user should be able to start building a basic firewall using these instructions in 20 minutes. #include 0. Make sure the system is already pretty secure. See the Linux security sites and the Linux Administrators Security Guide for more info. A strict packet filtering firewall is useless if someone can get root access somehow; they can just turn off the firewall. 1. Install the Mason package - 5 minutes or less. If you're using an rpm-based system, type just rpm -Uvh ftp://slartibartfast.pa.net/pub/mason/mason-0.13.0-0.noarch.rpm Otherwise, download the latest version to /usr/src, cd /usr/src tar -xzvf mason...tar.gz cd mason... make install 2. Prepare /etc/services - probably mostly done! Mason depends on a few setup details to be able to provide a firewall that works in the way you intended. Make sure that /etc/services includes the server port names for all services you intend to work with, whether those services are running on the firewall machine or on some other machine. For example, if you intend to use ssh to connect to another system, make sure that the line ssh 22/tcp is in /etc/services. Entries that might be missing include: ftp-data 20/tcp ssh 22/tcp #Secure shell linuxconf 98/tcp squid 3128/tcp #Squid proxy cache requests icp 3130/udp #Inter Cache Protocol, used in squid It is not necessary to include entries for services that you don't use. Also, do _not_ place entries for _client_ ports in this file; Mason assumes anything referenced in this file is a server port. For example, even though one of the client ports used for ssh is 1022/tcp, you would _not_ place this in /etc/services. Doing so would cause Mason to provide incorrect rules. If you're not sure which ports are being used as servers on the firewall or on other machines on your network, use the "netstat -an | less" command on Linux/Unix systems and look for lines with "LISTEN". 3. Prepare /etc/hosts - probably mostly done! Try to place short names first. You don't have to do this, but the firewall will be much more readable in the end if you do. Make sure that your /etc/hosts file has at least entries for: - locahost - the ip addresses of all interfaces on your firewall. - all the networks in your routing table except 0.0.0.0. - all dns servers - any other hosts that Mason might treat specially. For example: 127.0.0.1 localhost 172.16.0.1 fwall-inside bastion bastion.mydomain.org 12.13.14.15 fwall-outside 172.16.0.0 INSIDE #I use all caps to distinguish networks from normal IP's. 12.13.14.0 OUTSIDE 12.13.16.10 myisp-dns1 12.13.16.11 myisp-dns2 12.13.14.44 ntp bonzo bonzo.mydomain.org 4. Prepare the routing table and interfaces - probably already done! Mason assumes that the routing table and interfaces are set up to match the way the final firewall will run. If you're running this on the actual firewall machine and all the interfaces and networks have been configured, proceed to the next step. Edit /etc/masonrc on the machine on which Mason will run. Edit the line (or add it if it's not there) NETWORKS="....." Inside the quotes, place the following: - All ip addresses of all interfaces for the firewall, each followed by /32 . - The ip's of any hosts that shouldn't be treated identically to the other machines on their respective networks. - All networks whose machines the firewall should treat identically. For example, if the firewall had IP address 172.16.0.1 on network 172.16.0.0/255.255.0.0 and IP address 12.13.14.15 on network 12.13.14.0/255.255.255.0, I would add the following line to /etc/networks if I was building the firewall on another machine: NETWORKS="127.0.0.1/32 172.16.0.1/32 12.13.14.15/32 172.16.0.0/16 12.13.14.0/24" 5. Check the configuration file - 5 minutes, more if you want to customize. The configuration choices in /etc/masonrc are ordered so that the fields you'll most likely need to edit are at the top and the really obscure ones are at the bottom. There are a few setting you must set for Mason to work at all: NEWRULEPOLICY, DEFAULTPOLICY, and FLUSHEDPOLICY. If you have no firewall at all and are creating one for the first time, set each to "ACCEPT". During the learning process, you will have no protection at all (all packets will be accepted), but note that this is no _less_ secure than a system without a firewall. If you want to make the creation process a little more secure, you might consider setting one of these to DENY or REJECT; see the comments in /etc/masonrc and mason.txt for more info on this. In particular, if you are bulding this remotely via a telnet or ssh session, note that setting one of the above to something other than ACCEPT before Mason knows about the telnet or ssh traffic almost guarantees that you will lose the ability to telnet or ssh to the box until it is rebooted from the console. If you're in a rush to try out Mason, feel free to set just these three fields and continue. The more of the settings you set to match your needs, the better the firewall will be at matching your security policy in the end. 6. Place any known rules in /var/lib/mason/baserules - no time for most people. If you know some rules you'll need already, put them in this file. For example, if you know you'll need to masquerade all traffic from the 172.16.0.0/255.255.0.0 network, a sample rule for this is already in baserules. If you don't know of any, no problem. 7. Run mason-gui-text This (admittedly rudimentary) interface helps you build the firewall. Choose "BL" (begin learning) and watch mason start to spit out the firewall rules that perfectly match your system's network traffic. Check that stopwatch - you're building a firewall less than 20 minutes from when you started! Give yourself a pat on the back. Mason will do a great deal of the rest in the background while you're doing your day to day work. Do all of the things you want this firewall to support. If you want to allow mail to be sent through it, send mail through it. if you want to be able to ping it, ping it. If you want to be able to traceroute from it, traceroute from it.... You get the idea. The new rules mason provides are put in the "newrules" file. From time to time you should choose to edit this file ("EN" from the main menu). Delete any rules you don't like (or change their policy to deny or reject). Once you're happy with a given rule, add a tag to the end that indicates you're happy with it (I happen to use my initials+OK: "WLSOK"). Once you have saved that file and exited your editor, you can Merge the Rules ("MR" from the main menu) to the baserules file. Choose "some", then enter the tag ("WLSOK") that identifies all the rules you've approved. These will be carried over to baserules. Baserules is reserved for rules that you are _sure_ are correct; only these rules get loaded at boot time if you've enabled the firewall (run "ntsysv" in RedHat and enable the firewall service, or make the appropriate symlink from /etc/rc.d/init.d/firewall to /etc/rc.d/rc3.d/S92firewall for other distributions). The goal is to have a baserules file that has all of the rules you've approved and an empty newrules file. Keep in mind that the firewall that will normally be started at boot time _only_ uses rules from baserules. If you need to step away from the firewall for a minute, choose "LC" (lock console) from the main menu. Mason will keep on learning and you'll still see the new rules, but that console will be locked. You'll need to enter the root password to return to the main menu. 8. Tell your boss that you're going to need a few weeks to build this. Then head off to Bermuda and bask in the sun while Mason does its learning. And make sure you have a penguin typing away in your chair so no-one is suspicious. *grin* 9. Implement the final firewall. Once you've let Mason run in the background for a couple of days, are confident that you've gotten all of the traffic types this machine needs to support, have merged all of the rules to baserules, and are confident they are what you want, lock down the firewall. In /etc/masonrc, change DEFAULTPOLICY to DENY. If you want to keep Mason running to see if any stragglers show up, you'll probably want to change NEWRULEPOLICY to DENY as well; this has the effect of creating rules for new packet types, but they are DENY rules now. Otherwise, just start the standard firewall with: /etc/rc.d/init.d/firewall start If you've made the symlink in step 7, the firewall will be started automatically at boot time.