If you're looking for the HTML::Mason Perl Module, try here.
Mason is a tool that interactively builds a firewall using Linux' ipfwadm or ipchains firewalling. You leave mason running on the firewall machine while you are making all the kinds of connections that you want the firewall to support (and want it to block). Mason gives you a list of firewall rules that exactly allow and block those connections.
Mason was specifically designed to make it possible for anyone with the ability to generally find their way around a Linux system to build a reasonably good packet filtering firewall for any and every system under their control. It takes care of all the low level grunt work; all you need to do is follow the instructions and be able to run all the TCP/IP applications that need to be supported.
The real work of the package is done by the mason script. Its job is to convert the log entries that the Linux kernel produces into ipfwadm or ipchains commands that you can use in your own firewall.
In order to make it easy to use, I have included a rudimentary tool called mason-gui-text. It's a very simple shell that handles the setup and creation process for those that want to be led through the process. It would sincerely like to see it replaced with a nicer interface.
Mason supports the following: (see the release notes for additional features)
I've included a copy of the disclaimers. Like all GNU programs:
This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
Unfortunately, because this program is so deeply involved in the security of the systems on which it is run, I need to add this disclaimer as well:
This program offers an aid to creating firewall rules. It offers
ABSOLUTELY NO intelligence in deciding what should be allowed or
disallowed. It has ABSOLUTELY NO ability to understand your security
policy and implement it. YOU are responsible for reviewing the rules and
massaging them to fit your needs.
While the documentation in mason.txt attempts to provide some
general guidelines on how to use Mason, please remember: the author has
no knowledge of what you want your firewall to do and has not tailored the
documentation or program to specially fit your needs. If there is ever a
discrepancy between your needs and the program output or your needs and
the documentation, the program and/or documentation are _dead_ _wrong_.
Here are the various versions available for download, most recent at the top.
Mason-0.13.0 development release (tar, noarch rpm, src rpm). Please note that this is not a finished release; please consider it beta. I need more testers on it.
New to this release: automatically makes masq rules for reserved addresses, icmp subcodes, support for ip tunneling and a number of other protocols, removal of the namecache (no longer needed), mason now stops logging packets quickly while it does the main processing, stop using ipcalc to calculate broadcast, don't touch /etc/hosts or /etc/services, more Debian integration and two man pages (Thanks, Jeff!), support for ipchains-save output format, support for --sport and --dport (Thanks, Rusty!), some documentation updates, the ability to add packet counts to each rule, sorting the most commonly used rules to the top, misc. bug fixes and performance improvements, fixes to the Cisco output format, the ability to generalize the ack rules for tcp connections, cutting 25%-35% of the rules (Use at your own risk for the moment - this needs to be checked), and an internal checkpointing ability to help in debugging.
Support for ipchains -Lnxv input format was planned, but scrapped when I realized there was an easier way to get packet counts into Mason.
The Mason package now includes some additional "services" files. If you choose, Mason can automatically pull services from these files if your /etc/services file is missing them. Many thanks to the guys who wrote nmap for the nmap-services file.
Ironically, I do not suggest you use these as they are too complete; Mason may actually have trouble generalizing its rules because everything looks like a server port.
I also added TOS (Type Of Service) flag setting to this version. That, in theory, should help interactive performance on slow links with lots of bulk traffic. I also added the ability to completely block individual IP's or entire subnets.
Here's how to install:
Here are the individual files you can download. These files may be newer than the ones in the packages above; if so, they are here as prerelease version for those who want to be on the bleeding edge.
The following files are no longer part of the package.
If you have comments, suggestions, problems, ideas, flames, patches, whatever, I'd like to hear them. I'd even be interested in hearing where Mason fell short for your needs. My permanent email address is wstearns@pobox.com. The permanent web site for the software is http://www.pobox.com/~wstearns/mason/.
Jeff Licquia has kindly offered to package up Mason into a Debian package. The Debian requirements are helping to make a better program for all distributions.
Jens Knudsen wrote nicerules, a wrapper script for Mason. It's a simple script that takes the "newrules" output, sorts and orders the firewall rules in a way that makes it easier to review security, and produces a "standalone" firewall script and a firewall.disable script. The script probably has many "bugs", use it as an aid, but don't blame him for any problems it may cause you. There is more information in the actual script which is also heavily commented. Have fun.
If you choose to send me actual mason firewall rules and choose to hide the IP addresses and/or networks for security reason, that's fine, but please replace them with something that describes their general use so I can make sense of them. For example:
cat myrules | sed -e 's@11.22.33.44/32@fw-outside@' \
-e 's@192.168.1.1/32@fw-inside@' \
-e 's@192.168.1.0/24@inside-net@' \
>myrules.mailable
- or something like that.
There are a number of things you can do to help this project:
Most of the files in the Mason package are Copyright (c) 1998, 1999 by William Stearns wstearns@pobox.com or Jeff Licquia. They are released under the GNU GPL, which is included in the package. If you did not recieve a copy of this license, please contact the author for a copy (see the top of the Mason script for contact information for the author and the Free Software Foundation).
William is also the author of buildkernel, the automated Linux kernel builder, and other minor shell scripts.
Chris Brenton deserves very special thanks for spending an evening with me discussing a number of questions I've had about packet filtering. He was very kind to share his knowledge with me. I owe him a pizza sometime. :-) Chris has written some excellent networking texts - I'm about halfway through Mastering Network Security and am very impressed with the writing and content: Multiprotocol Network Design & Troubleshooting, Mastering Network Security. The above plug was not requested, but is well deserved.
Thanks to Nathan Bailey who took the time to remind me that there is a Perl Module that's also called Mason. Thanks also to Jonathan Swartz, the author of HTML::Mason who graciously agreed to share the name and pointers with me.
Many thanks to Dave Stern, who has offered suggestions on how to improve Mason and helped with beta testing early versions. Maybe someday I'll tell him they were prerelease versions... :-)
Thanks to all of the people who have sent in questions, bug reports, fixes, improvements, and six foot long lizards.
A special thank you to all the authors in the Linux movement. In a small way, the code I return to the community is my way of paying back my incredible debt to the people who came before me.
As always, many thanks to my wife Debra, who has shown amazing patience with my Linux related projects. Many thanks, my love.
Last edited: 8/2/99
Best viewed with something that can show web pages... <grin>