Copyright (c) 1998, 2004 William Stearns Mason Quickstart This document is designed to help people who are unfamiliar with Mason build a firewall using it. A novice user should be able to build a basic firewall using these instructions in 20 minutes. #include 1. Install the Mason package Download the latest version to /usr/src cd /usr/src tar -xzvf mason...tar.gz cd mason... make install 2. Prepare /etc/services - probably mostly done! Mason depends on a few setup details to be able to provide a firewall that works in the way you intended. Make sure that /etc/services includes the server port names for all services you intend to work with, whether those services are running on the firewall machine or on some other machine. For example, if you intend to use ssh to connect to another system, make sure that the line ssh 22/tcp is in /etc/services. Entries that might be missing include: ftp-data 20/tcp ssh 22/tcp #Secure shell linuxconf 98/tcp squid 3128/tcp #Squid proxy cache requests icp 3130/udp #Inter Cache Protocol, used in squid It is not necessary to include entries for services that you don't use. Also, do _not_ place entries for _client_ ports in this file; Mason assumes anything referenced in this file is a server port. For example, even though one of the client ports used for ssh is 1022/tcp, you would _not_ place this in /etc/services. Doing so would cause Mason to provide incorrect rules. 3. Prepare the routing table and interfaces - probably already done! Mason assumes that the routing table and interfaces are set up to match the way the final firewall will run. If you're running this on the actual firewall machine and all the interfaces and networks have been configured, proceed to the next step. You'll need to put in IP addresses and networks to match the way the final machine will be configured. If you have any IP addresses that are not live, simply create fake ones with commands like these: /sbin/ifconfig eth0:1 172.16.0.1 up #Mason only care about the IP address. /sbin/ifconfig eth0:2 172.18.12.94 up Similarly, fake networks can be simulated with: /sbin/route add -net 172.17.0.0 netmask 255.255.0.0 dev lo #Mason only cares about the network and netmask. You only need to add fake IP's or networks if they are not already present. 4. Check the configuration file. The configuration choices in /etc/masonrc are ordered so that the fields you'll most likely need to edit are at the top and the really obscure ones are at the bottom. 5. Place any known rules in /var/lib/mason/baserules If you know some rules you'll need already, put them in this file. For example, if you know you'll need to masquerade all traffic from the 172.16.0.0/255.255.0.0, a sample rule for this is already in baserules. If you don't know of any, no problem. 6. Run mason-gui-text This (admittedly rudimentary) interface helps you build the firewall. Choose "BL" (begin learning) and watch mason start to spit out the firewall rules that perfectly match your system's network traffic. The new rules mason provides are put in the "newrules" file. From time to time you should choose to edit this file ("EN" from the main menu). Delete any rules you don't like (or change their policy to deny or reject). Once you're happy with a given rule, add a tag to the end that indicates you're happy with it (I happen to use my initials+OK: "WLSOK"). Once you have saved that file and exited your editor, you can Merge the Rules ("MR" from the main menu) to the baserules file. Baserules is reserved for rules that you are _sure_ are correct; only these rules get loaded at boot time if you've enabled the firewall (run "ntsysv" in RedHat, make the appropriate symling from /etc/rc.d/init.d/firewall to /etc/rc.d/rc3.d/S92firewall for other distributions). If you need to step away from the firewall for a minute, choose "LC" (lock console) from the main menu. Mason will keep on learning and you'll still see the new rules, but that console will be locked. You'll need to enter the root password to continue learning. 7. Clean up If you added any new interfaces or networks just to run Mason, they can be removed with commands like the following: /sbin/ifconfig eth0:1 172.16.0.1 down /sbin/ifconfig eth0:2 172.18.12.94 down /sbin/route del -net 172.17.0.0 netmask 255.255.0.0