- DONE! break up port range from 1024:65535 to masq/non-masq ports (if masq enabled?) - DONE! use ipcalc.pl to generalize IP to a routed network (but not netblock on default route), and not a point-to-point link (slx/pppx/plipx) - DONE! warn if DOCOMMAND incompatible with capabilities of running kernel - DONE! Don't do processing if non-timestamp parameters equal to previous values. - DONE! syslog is one way, syslog port to syslog port. - DONE! do not generalize IP to 0/0 if both source and dest ports are 1024:65535 - DONE! grab additional local IP's (only?) from route -n grep BC and weed out dups - DONE! caches in /var/...? - DONE! ssh source port; 1000:1023, then 975:999, 950:974, etc. - DONE! staticrules env var for ports to block from outside world for all incoming requests. include 2049/tcp,udp, 3128/tcp, 3130/udp, X, xfs. - DONE! add offending port numbers to comment on high-high connections - DONE! no masq port ranges in comment1 - DONE! don't put in tcp ack if both source and dest are servers. - DONE! env var to choose what name lookup level - DONE! reload DYN addresses on SIGUSR1. - DONE! set TOS where appropriate - DONE! break up ruleshell into runwall and runmason - DONE! both source staticrules, which has ability to set lots of defaults - DONE! get flushing to remove logging rulesets if appropriate. - DONE! add nfs and friends to SSP and SCP lists - DONE! syslog as an SSP - DONE! trap Ctrl-C on gui-text, run killall -9 tail - explain in documentation to use 0:1023 for "to all servers" range. (credit to Dave Stern) - set up documentation for "nolog" chain. Check for existance at top of mason, create if not there, use for ipchains runcommand. - parameter to set ip->0/0 if no match with /tmp/morehosts or IP ranges - suggest that users make syslog asynchronous to reduce load - remind people to set all SERVER ports in /etc/services; no client ports. - 2401/tcp = cvs? - button pushing gui to change values in /etc/masonrc - host->name is a separate button from host -> network and is a fallback - upgrade nfs-server beta 16 to 37; 16 used different ports. - contact portmapper for rpc ports. - gui allows user to add comment line for most recent protocol - for dns port, if ip is in /etc/resolv.conf/nameserver X, put in rule to host, not net. ...maaaasonnnn eeeeessssss eeeeevillll...uuuuse emmm-esss-proxxxxxeeeeee.... - in docs: NO PORT SCANNING WHILE MASON IS RUNNING! - 0/0 -> 0/0 packets.... huh? Have option to put these in or not. - option to allow standard high port to high port. Sob. - make sure all host<-> ip's make it into host cache - only allow incoming DNS from high ports or port 53? - if an xterm, spit out title bar for Mason-gui-text - Have icmp echo request as one of the NOINCOMING? - carry along ipcalc/libc5, install if missing. - for syslog machines: have env var to grep: grep '^[^ ]* [^ ]* [^ ]* tomcat ' - handle destination address (only) of 224.x.x.x as /32 - force deny rule for source address of 224.x.x.x? Cisco: - DONE! in Cisco output, replace: ppp->S, eth -> E, tr -> To . - in Cisco output, replace: 0/0 -> any (equivalent to 0.0.0.0 255.255.255.255). - Cisco is default deny if access list exists. - Cisco prep: no ip access-group DIRLETTERifname no access-list DIRLETTERifname ip access-list extended DIRLETTERifname (Can I create a blank one this way and add rules later? Otherwise, start new rules with permit or deny. ) exit interface Ethernet 0 ip access-group DIRLETTERifname in|out (out is default) exit - DONE! drop lo and forwarding packets for Cisco, I think. - remind user for Cisco to use 100-199 if replacing names with numbers - port in Cisco is _destination_ port - replace ip 0.0.0.0 with host ip . - protocol - uppercase? - lt gt eq neq a port number - check that literally the word "log" is used at the end of IOS rules. TOS: http://www.cis.ohio-state.edu/htbin/rfc/rfc1349.html, esp. Appendix 2. - 3 high order bits are precedence, next 4 are TOS, last is MBZ (=0) - 1000 minimize delay - 0100 maximize throughput - 0010 maximize reliability - 0001 minimize monetary cost - 0000 normal service - ICMP 3,4,5,11,12 => 0000, rest as needed - sending and receiving TOS do not need to be equal (ex: max throughput on bulk, minimize delay on responding ACK's) - I think it only makes sense to set TOS on outgoing packets.