This document is designed to help people who are unfamiliar with Mason build a firewall using it. A novice user should be able to start building a basic firewall using these instructions in 20 minutes.
See the Linux security sites and the Linux Administrators Security Guide for more info. A strict packet filtering firewall is useless if someone can get root access somehow; they can just turn off the firewall.
5 minutes or less.
If you're using an rpm-based system, type just
rpm -Uvh ftp://www.stearns.org/pub/wstearns/mason/mason-1.0.0-0.noarch.rpm
Otherwise, download the latest version to /usr/src,
cd /usr/src<Enter> tar -xzvf mason...tar.gz<Enter> cd mason...<Enter> make install<Enter>
Probably mostly done!
Mason depends on a few setup details to be able to provide a firewall that works in the way you intended. Make sure that /etc/services includes the server port names for all services you intend to work with, whether those services are running on the firewall machine or on some other machine.
For example, if you intend to use ssh to connect to another system, make sure that the line
is in /etc/services. Entries that might be missing include:
ftp-data 20/tcp ssh 22/tcp #Secure shell linuxconf 98/tcp squid 3128/tcp #Squid proxy cache requests icp 3130/udp #Inter Cache Protocol, used in squid
It is not necessary to include entries for services that you don't use. Also, do _not_ place entries for _client_ ports in this file; Mason assumes anything referenced in this file is a server port. For example, even though one of the client ports used for ssh is 1022/tcp, you would _not_ place this in /etc/services. Doing so would cause Mason to provide incorrect rules.
If you're not sure which ports are being used as servers on the firewall or on other machines on your network, use the "netstat -an | less" command on Linux/Unix systems and look for lines with "LISTEN".
Probably mostly done!
Try to place short names first. You don't have to do this, but the firewall will be much more readable in the end if you do.
Make sure that your /etc/hosts file has at least entries for:
127.0.0.1 localhost 172.16.0.1 fwall-inside bastion bastion.mydomain.org 18.104.22.168 fwall-outside 172.16.0.0 INSIDE #I use all caps to distinguish networks from normal IP's. 22.214.171.124 OUTSIDE 126.96.36.199 myisp-dns1 188.8.131.52 myisp-dns2 184.108.40.206 ntp bonzo bonzo.mydomain.org
Probably already done!
Mason assumes that the routing table and interfaces are set up to match the way the final firewall will run. If you're running this on the actual firewall machine and all the interfaces and networks have been configured, proceed to the next step.
Edit /etc/masonrc on the machine on which Mason will run. Edit the line (or add it if it's not there)
NETWORKS="....."Inside the quotes, place the following:
For example, if the firewall had IP address 172.16.0.1 on network 172.16.0.0/255.255.0.0 and IP address 220.127.116.11 on network 18.104.22.168/255.255.255.0, I would add the following line to /etc/networks if I was building the firewall on another machine:
NETWORKS="127.0.0.1/32 172.16.0.1/32 22.214.171.124/32 172.16.0.0/16 126.96.36.199/24"
5 minutes, more if you want to customize.
The configuration choices in /etc/masonrc are ordered so that the fields you'll most likely need to edit are at the top and the really obscure ones are at the bottom.
There are a few setting you must set for Mason to work at all: NEWRULEPOLICY, DEFAULTPOLICY, and FLUSHEDPOLICY. If you have no firewall at all and are creating one for the first time, set each to "ACCEPT". During the learning process, you will have no protection at all (all packets will be accepted), but note that this is no _less_ secure than a system without a firewall.
If you want to make the creation process a little more secure, you might consider setting one of these to DENY or REJECT; see the comments in /etc/masonrc and mason.txt for more info on this. In particular, if you are building this remotely via a telnet or ssh session, note that setting one of the above to something other than ACCEPT before Mason knows about the telnet or ssh traffic almost guarantees that you will lose the ability to telnet or ssh to the box until it is rebooted from the console.
If you're in a rush to try out Mason, feel free to set just these three fields and continue. The more of the settings you set to match your needs, the better the firewall will be at matching your security policy in the end.
No time for most people.
If you know some rules you'll need already, put them in this file. For example, if you know you'll need to masquerade all traffic from the 172.16.0.0/255.255.0.0 network, a sample rule for this is already in baserules.
If you don't know of any, no problem.
This (admittedly rudimentary) interface helps you build the firewall. Choose "BL" (begin learning) and watch mason start to spit out the firewall rules that perfectly match your system's network traffic.
Check that stopwatch - you're building a firewall less than 20 minutes from when you started! Give yourself a pat on the back. Mason will do a great deal of the rest in the background while you're doing your day to day work.
Do all of the things you want this firewall to support. If you want to allow mail to be sent through it, send mail through it. if you want to be able to ping it, ping it. If you want to be able to traceroute from it, traceroute from it.... You get the idea.
Mason will present the new rules that match your networks traffic. For each rule you'll be given the chance to modify the rule or commit the rule. Here are the modify choices:
Here are the commit choices:
Once you're happy with a firewall ruleset, stop learning. From the main menu you can either Edit the Base ruleset with "EB" or Quit. Edit New and Merge Rules are generally not needed and will be removed in a future version.
Baserules is reserved for rules that you are _sure_ are correct; only these rules get loaded at boot time if you've enabled the firewall (run "ntsysv" in RedHat and enable the firewall service, or make the appropriate symlink from /etc/rc.d/init.d/firewall to /etc/rc.d/rc3.d/S92firewall for other distributions).
The goal is to have a baserules file that has all of the rules you've approved and an empty newrules file. Keep in mind that the firewall that will normally be started at boot time _only_ uses rules from baserules.
If you need to step away from the firewall for a minute, choose "LC" (lock console) from the main menu. Mason will keep on learning and you'll still see the new rules, but that console will be locked. You'll need to enter the root password to return to the main menu.
Then head off to Bermuda and bask in the sun while Mason does its learning.
And make sure you have a penguin typing away in your chair so no-one is suspicious.
Once you've let Mason run in the background for a couple of days, are confident that you've gotten all of the traffic types this machine needs to support, have merged all of the rules to baserules, and are confident they are what you want, lock down the firewall.
In /etc/masonrc, change DEFAULTPOLICY to DENY. If you want to keep Mason running to see if any stragglers show up, you'll probably want to change NEWRULEPOLICY to DENY as well; this has the effect of creating rules for new packet types, but they are DENY rules now.
Otherwise, just start the standard firewall with: /etc/rc.d/init.d/firewall start
If you've made the symlink in step 7, the firewall will be started automatically at boot time.