- DONE! break up port range from 1024:65535 to masq/non-masq ports (if masq enabled?) - DONE! use ipcalc.pl to generalize IP to a routed network (but not netblock on default route), and not a point-to-point link (slx/pppx/plipx) - DONE! warn if DOCOMMAND incompatible with capabilities of running kernel - DONE! Don't do processing if non-timestamp parameters equal to previous values. - DONE! syslog is one way, syslog port to syslog port. - DONE! do not generalize IP to 0/0 if both source and dest ports are 1024:65535 - DONE! grab additional local IP's (only?) from route -n grep BC and weed out dups - DONE! caches in /var/...? - DONE! ssh source port; 1000:1023, then 975:999, 950:974, etc. - DONE! staticrules env var for ports to block from outside world for all incoming requests. include 2049/tcp,udp, 3128/tcp, 3130/udp, X, xfs. - DONE! add offending port numbers to comment on high-high connections - DONE! no masq port ranges in comment1 - DONE! don't put in tcp ack if both source and dest are servers. - DONE! env var to choose what name lookup level - DONE! reload DYN addresses on SIGUSR1. - DONE! set TOS where appropriate - DONE! break up ruleshell into runwall and runmason - DONE! both source staticrules, which has ability to set lots of defaults - DONE! get flushing to remove logging rulesets if appropriate. - DONE! add nfs and friends to SSP and SCP lists - DONE! syslog as an SSP - DONE! trap Ctrl-C on gui-text, run killall -9 tail - DONE! ipcalc workaround - NOT NEEDED! carry along ipcalc/libc5, install if missing. - DONE! spec file to ./redhat directory - DONE! pull protocols from /etc/protocols - DONE! move man pages up - DONE! use --sport / --dport when addr is 0/0 - DONE! vlock installed? - DONE! poll user for required (but unset) variables at the start. - DONE! allow blocking a complete protocol - NOT NEEDED! make sure all host<-> ip's make it into host cache - DONE! Have icmp echo request as one of the NOINCOMING? - DONE! check: something in /etc/hosts might be a network, not a /32. - DONE! Allow user to choose between "grouped by protocol" or "sorted by packetcount"; use this everywhere. - DONE! for dns port, if ip is in /etc/resolv.conf/nameserver X, put in rule to host, not net. - not needed. diff of pid list to kill - DONE! append counters as comment. - DONE! include pointer to Jens Knudsen's nicerules package. - DONE! check for existence of outputN, etc, before flushing - DONE! will networks handle /0-32? - DONE! pause before clear in mason-gui-text - DONE! will networks handle a /32? - DONE! add spoof blocks, use ipchains ! interface syntax. - DONE! if user is switching to the standard firewall and there are unchecked rules in newrules, ask if they really want to do this. - DONE! gracefully handle EOF on all reads - DONE! for non-tcp/udp/icmp protocols, drop and ignore all ports - DONE! when warning about duplicate rules, display in decimal and hex. - DONE! dup mark for currently running firewall is bitching about the count cache! Pull from running firewall. - explain in documentation to use 0:1023 for "to all servers" range. (credit to Dave Stern) - set up documentation for "nolog" chain. Check for existance at top of mason, create if not there, use for ipchains runcommand. - parameter to set ip->0/0 if no match with /tmp/morehosts or IP ranges - suggest that users make syslog asynchronous to reduce load (messge from rich in Mason folder) - remind people to set all SERVER ports in /etc/services; no client ports. - 2401/tcp = cvs? - button pushing gui to change values in /etc/masonrc - host->name is a separate button from host -> network and is a fallback - upgrade nfs-server beta 16 to 37; 16 used different ports. - contact portmapper for rpc ports. - gui allows user to add comment line for most recent protocol ...maaaasonnnn eeeeessssss eeeeevillll...uuuuse emmm-esss-proxxxxxeeeeee.... - in docs: NO PORT SCANNING WHILE MASON IS RUNNING! - 0/0 -> 0/0 packets.... huh? Have option to put these in or not. DO THIS! Or have an outgoing DENY for old IP's, maybe? - option to allow standard high port to high port. Sob. - only allow incoming DNS from high ports or port 53? - if an xterm, spit out title bar for Mason-gui-text - for syslog machines: have env var to grep: grep '^[^\W]*\W*[^\W]*\W*[^\W]*\W*tomcat\W' - handle destination address (only) of 224.x.x.x as /32 - 239.x.x.x - force deny rule for source address of 224.x.x.x? - Have some kind of FTP server variable - slackware handling - caldera - ipchains-save output format (started, looking good) - verbose firewall listing input format - reset all DYNIF addresses right before testing for equivalence - rename /etc/rc.d/init.d/firewall to /etc/rc.d/init.d/mason - if port number is 65535, leave specific; don't generalize to 1024:65535 - Figure out when the firewall needs to be flushed so as to not nuke packetcounts. - put noincoming/blockedhosts stuff in a /var/lib/mason/special that gets recreated each time. Bump up MINMARK after this block to leave space so as to not overlap. - option to always add ip in comments; perhaps auto for $NEWRULEPOLICY=DENY? - Add check for promisc mode in checksys. - does check for existing ipchains/ipfwadm binary work? - only attempt the addcounts stuff with DOCOMMAND and ECHOCOMMAND=ipchains - FIXME ipchains marks are added even if no minmark set. - prob fixed now. - FIXME generalized tcp responses active even if not requested - prob fixed now. - block icmp port unreachable in the opposite direction from a generalized tcp ack - "show /var/log/messages" | grep 'I=' during build option. - exit immediately on a sighup (closer now...) - gracefully handle 0 lines matches on all greps. - ipfw format? - noincoming 54321/tcp - Set a var that says its a requested exit that blocks logging the "crash"? - option to group by: interface, direction, protocol -e: Cisco: - DONE! in Cisco output, replace: ppp->S, eth -> E, tr -> To . - DONE! drop lo and forwarding packets for Cisco, I think. - in Cisco output, replace: 0/0 -> any (equivalent to 0.0.0.0 255.255.255.255). - Cisco is default deny if access list exists. - Cisco prep: no ip access-group DIRLETTERifname no access-list DIRLETTERifname ip access-list extended DIRLETTERifname (Can I create a blank one this way and add rules later? Otherwise, start new rules with permit or deny. ) exit interface Ethernet 0 ip access-group DIRLETTERifname in|out (out is default) exit - remind user for Cisco to use 100-199 if replacing names with numbers - port in Cisco is _destination_ port - replace ip 0.0.0.0 with host ip . - protocol - uppercase? - lt gt eq neq a port number - check that literally the word "log" is used at the end of IOS rules. TOS: http://www.cis.ohio-state.edu/htbin/rfc/rfc1349.html, esp. Appendix 2. - 3 high order bits are precedence, next 4 are TOS, last is MBZ (=0) - 1000 minimize delay - 0100 maximize throughput - 0010 maximize reliability - 0001 minimize monetary cost - 0000 normal service - ICMP 3,4,5,11,12 => 0000, rest as needed - sending and receiving TOS do not need to be equal (ex: max throughput on bulk, minimize delay on responding ACK's) - I think it only makes sense to set TOS on outgoing packets.