#!/bin/bash #WARNING - If you are upgrading from a previous version, the uncommented #lines in your old masonrc have been appended to the end of this file. #For instructions on how to set the parameters in this file, refer to #mason.txt that came with this package; try looking in #/usr/doc/mason-{version}/mason.txt or refer to #http://www.pobox.com/~wstearns/mason/ You do not have to make any #changes here unless you want to change the defaults. The defaults #are generally used below, but see the documentation for more details. #Please see mason.txt or http://www.pobox.com/~wstearns/mason/ for #more information and copyright information. # - William Stearns (wstearns@pobox.com) # Reminder; this file is for system wide defaults. # If you wish to set something for this # run only, simply set it on the command line just before calling mason. For # example, putting DYNIF="ppp0" in this file has the # same effect on this execution of the program as running # DYNIF="ppp0" mason. # The fields at the top are the ones you're most likely to need to edit. # The values in this script can be changed on the fly without #having to stop and restart Mason; simply make your changes, save the #file and run "killall -USR1 mason". Mason will only reread this #file when it receives this signal. # To have Mason gracefully exit, run "killall -HUP mason". #----------------------------------------------------------- # Essential settings - please set these. #----------------------------------------------------------- #A quote enclosed, space separated list of interfaces that change #IP address from time to time. Leave as "" if all addresses stay constant. #Default: no dynamic interfaces. #DYNIF="ppp0" #DYNIF="" #What policy should mason use for upcoming rules? #There is no default for this field. You must choose one of #the following. #NEWRULEPOLICY="accept" #NEWRULEPOLICY="reject" #NEWRULEPOLICY="deny" #What should the default policy for your firewall be? #There is no default for this field. You must choose one of #the following. #DEFAULTPOLICY="accept" #DEFAULTPOLICY="reject" #DEFAULTPOLICY="deny" #What should the default policy for your system be when the #firewall is flushed? #There is no default for this field. You must choose one of #the following. #FLUSHEDPOLICY="accept" #FLUSHEDPOLICY="reject" #FLUSHEDPOLICY="deny" #----------------------------------------------------------- # Moderate likelihood you may wish to tune these, probably once. #----------------------------------------------------------- #BLOCKEDHOSTS is a list of space separated machines that should not #be able to communicate _at_ _all_ with this machine or through #this machine. I'd reserve this for machines that have #attacked your machines in the past. Use space separated #machine.name/32 or 1.2.3.4/32 or 1.2.3.0/24 or network/netmask format. #This could also very reasonably be used to block all access to/from #one of your own machines that is particularly sensitive and #should only be allowed to communicate with other machines on #its own subnet. #_ALL_ communication of any sort is cut off to these machines. _ALL_. #BLOCKEDHOSTS="" # "ipchains" = echo ipchains command to STDOUT, "ipfwadm" = echo # ipfwadm command to STDOUT, "none" = don't echo either. # Use "cisco" if you want Mason to spit out Cisco IOS access-list rules. # Autodetected if not set at all. # This is what you change if you want a different format in the # output rule file. #ECHOCOMMAND="" # What should the IP address be converted to? # network: the smallest network in the routing table that contains the address. # host: the hostname or IP address for the machine # none: leave IP address as is. # custom: to be implemented. # dynamic IP's are replaced with ${ifNADDR} solely based on the value of DYNIF #IPCONV="HOST" #IPCONV="NETWORK" #IPCONV="NONE" #IPCONV="CUSTOM" #For any IP addresses not converted into a network or otherwise #specially handled, should we leave them as IP addresses ("NONE"), #convert them to host names if they're in /etc/hosts or in #/var/lib/mason/namecache ("FILESONLY"), or use those files, then try #a DNS lookup to get the name ("FULL")? #HOSTLOOKUP="NONE" #HOSTLOOKUP="FILESONLY" #HOSTLOOKUP="FULL" #DOBEEP="YES": beep at user with new rule, "NO": dont #DOBEEP="YES" # "yes" = echo dot to STDERR when processing a repeat line, # "no" = don't. #HEARTBEAT="YES" #IRC_BEGIN=6666 #IRC_END=6671 #The maximum number of X, Openwindows, or VNC consoles supported. The #default setting of 6 allows for ports 6000-6005 if any X traffic seen, #2000-2005 if any openwindows traffic seen, 5800-5805 for any vnc java #traffic, and 5900-5905 if any vnc traffic seen. #MAXDISPLAYS=6 #If you only connect to a few (say 1-5) servers with a given protocol, #add it to the following (SSP=SparseServerProtocols) so that Mason will #not generalize it to a network. #If only a few _client_ machines connect to a particular service, place #the port in SCP (Sparse _Client_ Protocols). #This feature does not differentiate between servers on your network and #servers in the real world. #A given protocol can be in both. These must be numeric. #Warning: Do not enable this for a given protocol if you run a server of #that type on or behind this firewall. In other words, if you're running #your own DNS server on this machine or on some machine behind it, do #_not_ make Domain an SSP - leave it commented. #DNS, NTP, syslog and the Netbios protocols may use the same port number #for client and server. Declaring any of these as SSP's or SCP's will #probably cause _both_ ends to be specific hosts. #This can occasionally cause problems if the server in question has #multiple machines with the same name and different IP addresses - #ICQ has this problem. #SSP="${SSP} " #SSP="${SSP} 25/tcp" #SMTP #SSP="${SSP} 43/tcp" #Whois #SSP="${SSP} 53/tcp 53/udp" #DNS/Domain - read note above #Do NOT put DNS in SSP if you run a DNS server on the firewall or behind it. #SSP="${SSP} 67/udp" #BOOTP Server #SSP="${SSP} 69/udp" #TFTP Server #SSP="${SSP} 88/tcp 88/udp" #Kerberos: should 749:751/tcp and 749:751/udp be here too? #SSP="${SSP} 110/tcp 143/tcp" #POP and IMAP Email #SSP="${SSP} 111/tcp 111/udp 635/tcp 635/udp 2049/tcp 2049/udp" #NFS: Sunrpc, Mount, and NFS #SSP="${SSP} 119/tcp" #NNTP #SSP="${SSP} 123/tcp 123/udp" #NTP - read note above #SSP="${SSP} 137/tcp 137/udp 138/tcp 138/udp 139/tcp" #Netbios - read note above #SSP="${SSP} 370/udp 2432/udp 2433/udp" #Coda: codaauth2 codasrv codasrv-se #SSP="${SSP} 389/tcp" #LDAP #SSP="${SSP} 514/udp" #syslog #SSP="${SSP} 515/tcp" #Printer/LPD #SSP="${SSP} 2064/tcp" #RC5DES #SSP="${SSP} 3128/tcp 3130/udp" #Squid #SSP="${SSP} 4000/udp" #ICQ #SSP="${SSP} 7100/tcp" #xfs #SSP="${SSP} 8765/tcp" #search.cnn.com's search web server. #SCP="${SCP} " #SCP="${SCP} 161/udp 162/udp" #SNMP #SCP="${SCP} 98/tcp" #Linuxconf #You probably have a number of internal services to which the outside world #should not connect. List them here, space separated. For the moment, these #_must_ be number/protocol. Ruleshell will block access to these coming from #any interface associated with a 0.0.0.0 route. #You can create your own or simply uncomment any lines you want to block. #Unlike the other operating parameters, Mason will not provide a default. #Auth (113/tcp) is one you _might_ want to leave open. #I've included protocols that generally have some security implication #if open to the outside world. You can use some, none, or all, and add #anything else you don't want the world to see. #Uncommenting service W below only means that people from the outside #world can't get to your W servers; you can still make requests out to #W servers on the Internet. #DNS, NTP, syslog and the Netbios protocols may use the same port number #for client and server. Don't enable these if you want to make outbound #_client_ requests to these servers. #NOINCOMING="${NOINCOMING} " #put your favorites here... #NOINCOMING="${NOINCOMING} 7/tcp 7/udp" #Echo #NOINCOMING="${NOINCOMING} 20/tcp 21/tcp" #FTP #NOINCOMING="${NOINCOMING} 22/tcp" #SSH #NOINCOMING="${NOINCOMING} 23/tcp" #Telnet #NOINCOMING="${NOINCOMING} 25/tcp" #SMTP #NOINCOMING="${NOINCOMING} 53/tcp 53/udp" #DNS #NOINCOMING="${NOINCOMING} 69/udp" #TFTP #NOINCOMING="${NOINCOMING} 79/tcp" #Finger #NOINCOMING="${NOINCOMING} 80/tcp" #Web #NOINCOMING="${NOINCOMING} 87/tcp" #link #NOINCOMING="${NOINCOMING} 98/tcp" #LinuxConf #NOINCOMING="${NOINCOMING} 110/tcp 143/tcp" #Pop & IMAP mail #NOINCOMING="${NOINCOMING} 111/tcp 111/udp" #Sunrpc #NOINCOMING="${NOINCOMING} 113/tcp" #Auth #NOINCOMING="${NOINCOMING} 119/tcp" #NNTP #NOINCOMING="${NOINCOMING} 123/tcp 123/udp" #NTP #NOINCOMING="${NOINCOMING} 137/tcp 137/udp 138/tcp 138/udp 139/tcp" #Netbios #NOINCOMING="${NOINCOMING} 161/udp 162/udp" #SNMP #NOINCOMING="${NOINCOMING} 443/tcp 563/tcp" #Secure Web #NOINCOMING="${NOINCOMING} 512:514/tcp" #Rexec, Rlogin, Rsh #NOINCOMING="${NOINCOMING} 514/udp" #syslog #NOINCOMING="${NOINCOMING} 515/tcp" #LPD #NOINCOMING="${NOINCOMING} 520/udp" #Route #NOINCOMING="${NOINCOMING} 540/tcp" #UUCP #NOINCOMING="${NOINCOMING} 554/tcp 7070/tcp 7071/tcp" #RealAudio control ports #NOINCOMING="${NOINCOMING} 635/tcp 635/udp" #NFS Mount #NOINCOMING="${NOINCOMING} 1080/tcp" #Socks #NOINCOMING="${NOINCOMING} 2000:2010/tcp 6000:6010/tcp " #X and Openwindows #NOINCOMING="${NOINCOMING} 2049/udp 2049/tcp" #NFS #NOINCOMING="${NOINCOMING} 3128/tcp 3130/udp" #Squid web cache #NOINCOMING="${NOINCOMING} 7100/tcp" #xfs (X Font server) #NOINCOMING="${NOINCOMING} 8080/tcp" #Novell Border Manager/FastCache (thanks to Eric Hart for this port number) #NOINCOMING="${NOINCOMING} 12345/tcp 12346/tcp" #Netbus, NT trojan #NOINCOMING="${NOINCOMING} 31337/udp" #Back Orifice, NT trojan #NOINCOMING="${NOINCOMING} 33434:33524/udp" #traceroute #If you do not already have EDITOR set in your environment, you #can set it here. If it's not set in either place, Mason #will try to find mcedit, pico, vi, jove, nedit, and emacs in #your path. #EDITOR="/usr/bin/mcedit -c " #I like mine in color :-) #----------------------------------------------------------- # Filenames #----------------------------------------------------------- #Location of runtime changeable files and configuration. #MASONDIR="/var/lib/mason/" #This is the configuration file mason uses. It can be changed while #Mason is running as long as the SIGUSR1 signal is sent to Mason afterwards. #It's probably not a good idea to change the value of this variable on the fly. #Setting this here is of dubious value - this is better set as a #shell environment variable before running mason. #MASONCONF="/etc/masonrc" #MASONLIB="${MASONDIR}masonlib" #NAMECACHE _could_ be /etc/hosts, but this was really intended to be a #local cache for Mason only. This really should be in some directory like #/var/lib/mason. #NAMECACHE="${MASONDIR}morehosts" #These file, in /etc/services format, hold additional ports that may #not be defined in the stock /etc/services. If you would prefer to #use just the services in your own /etc/services, uncomment the #first line. Your /etc/services entries always take precedence over #any entries in moreservices. If you choose not to use the moreservices #file, make _sure_ your /etc/services has _all_ the protocols you might #use. ssh, portmapper, nfs, and nfs mount services are especially #crucial. Default is just /etc/services. #SERVICES="/etc/services" #SERVICES="/etc/services ${MASONDIR}nmap-services ${MASONDIR}moreservices" #NETCACHE="${MASONDIR}netconvert" #BASERULEFILE="${MASONDIR}baserules" #NEWRULEFILE="${MASONDIR}newrules" #MASONEXE="/usr/bin/mason" #Default input file to tail (To be implemented) #PACKETLOGFILE="/var/log/messages" #----------------------------------------------------------- # Low likelihood you'll need to change these #----------------------------------------------------------- # "ipchains" = actually run the ipchains command, "ipfwadm" = actually # run the ipfwadm command, "none" = don't run either. no is useful if you're # not running Mason as root or are running Mason on some machine other # than the actual operating firewall. User can override either by simply # setting the environment variable ahead of time. # Autodetected if not set. #DOCOMMAND="" #What policy should we use for logging? If not set, defaults #to the value of NEWRULEPOLICY #LOGGINGPOLICY="accept" #LOGGINGPOLICY="reject" #LOGGINGPOLICY="deny" #Because of limitations on the length of rule names, NOLOGSUFFIX cannot #be longer than 1 character. #If you change this, change it in ruleshell too. #NOLOGSUFFIX="N" # "YES" to debug, anything else = dont #DEBUG="NO" #Future: allow non-verbose operation? #VERBOSE=YES #PORT_MASQ_BEGIN=61000 #PORT_MASQ_END=65096 #TRACEROUTE_BEGIN=33434 #TRACEROUTE_END=33524 #Fine for up to 30 routers, 3 packets each, the default for traceroute. #When ssh(d?) is run as root, the client port starts off at 1023 and #works its way down to (512?). Mason handles this falling range #correctly, but this allows you to predeclare that you want to handle #up to 1024-LOWSSHPORT connections simultaneously. #LOWSSHPORT=1010 #Interfaces on which packets from untrusted systems can come _in_, #usually identical to the interfaces with a default route. (That's #how this is automatically set if you don't set it explicitly.) #If you use diald, explicitly set this with _only_ the ppp #interface(s); packets never _arrive_ on the slx interface(s). #You should only have to set this by hand if you use something #like diald, a cable modem, or a satellite link where you use #different interfaces for outgoing and incoming packets. #INCOMINGINTERFACES="" #INCOMINGINTERFACES="ppp0" #Single interface diald #----------------------------------------------------------- # To be implemented #----------------------------------------------------------- #LOGBLOCKEDHOSTS="YES" #Maybe? #POISONPROTOCOLS="" #treat these as blockedhost machines from now on and append #to masonrc as BLOCKEDHOSTS... :-) Hmmm.... #Default output file (To be implemented) #FIXME #Copyleft: # Mason interactively creates a Linux packet filtering firewall. # Copyright (C) 1998, 2004 William Stearns # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. # # The author can also be reached at: # William Stearns #email: wstearns@pobox.com (preferred) #web: http://www.pobox.com/~wstearns #snail: 544 Winchester Place # Colchester VT, 05446