If you're looking for the HTML::Mason Perl Module, try here.

Current version - 1.0.0 *smile*


(Unsolicited) Reviews

"If you have not checked out Mason, I highly recommend it. Mason is a Linux based firewall, but none like you've ever used.

In short, you put Mason into learning mode and run the services to the Internet you wish to support. Mason will then take these log entries and turn them into a set of packet filtering rules. Pretty cool eh? No ACK compliment rules to worry about, no "what was that service port again?" decisions to worry about, simply plug it in, let it learn and off you go. :)"

- - Chris Brenton, cbrenton@sover.net

"Tonight I tried out your Mason package and I got to tell you it is the best thing I have seen in a long time. I tried it on a test machine and it worked flawlessly. Usually things are fun for novelty reasons but this thing is awesome! Me and my colleagues are always setting up some type of firewall and I am going to blow them away with this one. Problem with firewalls is one always forgets a policy, port, etc... especially being a field computer person, with Mason it pretty much takes care of most of the work for you.

All I can say is I cant tell you how cool this is.

- - Richard Lo, richardlo@visto.com

We just recently retooled our firewall as it was in bad shape. I want to put the word about the Mason firewall package which automatically writes ipchain rules for you. Without Mason, we would still be struggling with our firewall. I highly recommend using it to implement some rudimentary security on stand-alone RedHat Linux systems that are continuously connected to the web.

- - real-life, paranoid, pressed for time, system administrator who prefers to remain anonymous, well, because (s)he's paranoid

Well, I played with it for quite a while, and I liked the results. This version is very robust, and the learning curve is simply amazing, so it's really a recommended tool for newbies.

- - Aviram Jenik, aviram@beyondsecurity.com, http://www.SecuriTeam.com

It's been a major pain in the ass trying to configure my RedHat 6.0 firewall at home using ipfwadm and the other standard Linux tools. So it was with some doubt that I installed Mason on my RedHat 6.0 firewall, expecting nothing useful to come of it. I was rather shocked to find Mason quickly emitting lists of real-world, usable rules, and making them actually work with my fairly complex system requirements. (I want ftp, telnet, RealAudio, Quake, HalfLife, netnews, and I want it all to be perfectly secure! ;) ) I am completely sold on Mason. Congrats on making the first firewall tool in the true spirit of Linux; it should be part of every distribution.

- - John Byrd, johnbyrd@pacbell.net


Introduction

Mason is a tool that interactively builds a firewall using Linux' ipfwadm or ipchains firewalling. You leave mason running on the firewall machine while you are making all the kinds of connections that you want the firewall to support (and want it to block). Mason gives you a list of firewall rules that exactly allow and block those connections.

Mason was specifically designed to make it possible for anyone with the ability to generally find their way around a Linux system to build a reasonably good packet filtering firewall for any and every system under their control. It takes care of all the low level grunt work; all you need to do is follow the instructions and be able to run all the TCP/IP applications that need to be supported.

The real work of the package is done by the mason script. Its job is to convert the log entries that the Linux kernel produces into ipfwadm or ipchains commands that you can use in your own firewall.

In order to make it easy to use, I have included a rudimentary tool called mason-gui-text. It's a very simple shell that handles the setup and creation process for those that want to be led through the process. I would sincerely like to see it replaced with a nicer interface.


News

5/12/02

We've been stable for a long time. Time for 1.0.0. :-)

9/16/01

Minor release to accomodate the fact that the "sam" package had to be renamed to "samlib".

8/7/01

Thanks to all who've reminded me that 0.13.9.3 doesn't get along well with newer glibc's. Someone decided to rename a signal and it causes no end of problems.

A number of the functions Mason depends on are shared with other bash apps. I've put together a shared library of bash functions for these applications with a goal of formal verification for each function. Mason now requires the "sam" library to run; this library can be found at ftp://ftp.stearns.org/ as well. Simply install the sam rpm or tar first.

Thanks to Steve Wray for the awk only replacement for an awk/grep/sed combination in older versions.

Minor fixes.

Baiju Thakkar deserves a large THANKS! for updating the web site. You'll see the new content once we work out a few more details.

10/25/00

I've gotten the iptables code in 0.13.9.3 to the point where it's generally working. A few notes:

By the way, the "live learning" process seems to be rather good. Give it a try, especially if you've had trouble with Mason crashing in the past. The live learning bypasses the backgrounding that used to be required, hopefully putting the crashes permanently to bed. I have my fingers crossed.

The menus look a lot better now.

11/21/99

The exciting new project is the ability to decide what to do with a rule while the learning process is going on. Now, when a new rule shows up, you can instantly decide to commit it to baserules, discard it, change it, etc. mason-decide is not complete, but it's functional enough that I'm making it available for testing. If you like the old behavior of throwing all the rules into newrules for later editing, change: if /bin/false ; then in mason-gui-text to: if /bin/true ; then

As a followup to the following, mason has some iptables functionality now. I have the base code functioning to the point that I can actually build an iptables firewall with it.

Please note that it is most definitely not complete. If you're masquerading, you need to put the masquerading rule in baserules before you start mason-gui-test (baserules.sample has been updated to include iptables masquerading).

mason-1999112101 is _only_ available at ftp://mason.stearns.org - this will soon be the master web and ftp site for the project.

9/x/99

My hat is off to Rusty, who has done it again. I've gotten netfilter running on 2.3.x and I'm really impressed. When I insert the ipfwadm module, Mason runs just fine. When I insert ipchains.o, hey, Mason runs just fine. I haven't tried all the features, but this is going to make debugging Mason much easier. And hey, it looks like its going to be in 2.4.x!

In preparation for 0.13.1, the documentation has gotten a lot of work. I've merged a bunch of stuff into a main SGML file which can be viewed in .txt or .html format. I'm glad to say the documentation is finally usable again.

3/9/99

I have gotten a number of contributions from people - many thanks. I'll have a real contributions section later, but for the moment:

3/8/99

The Mason mailing lists are now live. There are three lists:

Note that the old "geek-speak.net" addresses are no longer valid. The lists have been moved to ists.dartmouth.edu.
ListDescriptionHow to subscribe
mason-announce This list is an announcements-only list. It will generally be limited to new version announcements for the Mason firewall builder, but may also include announcements related to Mason from time to time. It is a low volume list and is moderated. send mail to majordomo@ists.dartmouth.edu with "subscribe mason-announce" in the body.
mason-help This unmoderated list is for general discussion of all topics related to the Mason firewall builder. On-topic discussion includes bug reports, questions, feature requests, suggestions, and questions about operating Mason. General packet filtering, firewall, Linux, networking, kernel, ipfwadm, ipchains, netfilter, and iptables questions are considered on-topic as well. send mail to majordomo@ists.dartmouth.edu with "subscribe mason-help" in the body.
mason-devel This is a discussion list for the people involved in the development of the Mason firewall builder and related projects. Issues about code, patches, packaging issues, distribution, and general communication between developers are considered on-topic. You should get in touch with Bill Stearns (wstearns@pobox.com) before subscribing and let him know what area of development interests you. send mail to majordomo@ists.dartmouth.edu with "subscribe mason-devel" in the body.

Disclaimers

I've included a copy of the disclaimers. Like all GNU programs:

This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
GNU General Public License for more details.

Unfortunately, because this program is so deeply involved in the security of the systems on which it is run, I need to add this disclaimer as well:

        This program offers an aid to creating firewall rules.  It offers
ABSOLUTELY NO intelligence in deciding what should be allowed or
disallowed.  It has ABSOLUTELY NO ability to understand your security
policy and implement it.  YOU are responsible for reviewing the rules and
massaging them to fit your needs.
        While the documentation in mason.txt attempts to provide some
general guidelines on how to use Mason, please remember:  the author has
no knowledge of what you want your firewall to do and has not tailored the
documentation or program to specially fit your needs.  If there is ever a
discrepancy between your needs and the program output or your needs and
the documentation, the program and/or documentation are _dead_ _wrong_.

Downloading and installing

Here are the various versions available for download, most recent at the top.

Here's how to install:

Here are the individual files you can download. These files may be newer than the ones in the packages above; if so, they are here as prerelease version for those who want to be on the bleeding edge.


Credits

Most of the files in the Mason package are Copyright (c) 1998-2001 by William Stearns wstearns@pobox.com or Jeff Licquia. They are released under the GNU GPL, which is included in the package. If you did not recieve a copy of this license, please contact the author for a copy (see the top of the Mason script for contact information for the author and the Free Software Foundation).

Last edited: 5/12/02

Best viewed with something that can show web pages... <grin>