Mason 0.12.0, the free automated firewall builder

Apr 03, 1999, 11:50 (0 Talkback[s])
(Other stories by William Stearns)

William Stearns writes:

Good day, all,

This will just be a short announcement of a free/GPL tool that may be of interest to anyone using or considering the use of Linux machines as firewalls.

Mason is a tool that helps create a custom Linux packet filtering firewall. One starts up Mason on the machine(s) that need to do packet filtering, then does all the normal things that this neetwork needs to allow or deny. Mason creates ipchains/ipfwadm rules that can be used in a finished firewall. It includes support files to provide a rudimentary menu for building and a shell that implements the current firewall in SysV boot scripts used in most Linux distributions.

Mason is not for the user that wants a prebuilt firewall that installs without effort. A number of those are available on the Internet already. Mason is perfect for:

• Someone trying to build a "default deny" firewall. *1
• Someone that wants very tight control over exactly which protocols are allowed in/out/through a machine.
• Someone with a partial firewall that is having trouble coming up with the right rules for a few tricky protocols.
• Machines that don't match the design of the prebuilt firewalls.
• Implementing firewalls on routers _and_ individual workstations or servers - machines that have typically lacked their own individual firewalls in the past.

*1 Also works well for "default allow"; during the training phase, you teach Mason about all the protocols you want to _block_. Or teach Mason about both protocols to allow _and_ protocols to block.

Features support for:
Ipfwadm and ipchains systems *2 (2.0.x-2.2.x kernels), preliminary support for Cisco access-list output *2, ip, tcp, udp, icmp, support for gre/ipip tunneling in testing, automatic generalization of client and server port ranges *2, automatic generalization of client and server IP's to match your routing table *2, ability to customize which protocols have their client and server ip's generalized *2, networks where packets go out on one interface and responses come back on another, any network device supported by Linux, interfaces with dynamic IP addresses *2, blocking all access to/from certain IP's or networks *2, blocking all incoming access to certain protocols *2, automatic setting of TOS flag, automatic setting of the ACK (Cisco: established) flag for all TCP protocols except ftp data and high port-high port connections, runs on any Linux architecture, tars and pgp signed rpms available, debian packages coming soon, written as bash shell scripts.

Automatic recognition of the quirks in the following protocols: ssh, nfs/sunrpc/mount (needs more testing), ftp, X, openwindows, vnc, irc, traceroute, ip masquerading, realaudio, dns, syslog, netbios, ntp, coda. Automatically handles the standard protocols such as http, smtp, nntp, pop2/3, imap, https, telnet, etc.

*2 Customizable by a configuration file.

Requirements:
Runs on any Linux distribution, any hardware architecture. It does require the following built into the Linux kernel: firewalling, IP firewalling, firewall packet logging. Most current distributions have these by default. As with all Linux firewalls, the "always defragment" option is strongly recommended.

The installation process does assume a SysV layout; Slackware users may have to install the program files manually.

Limitations:
The user interface is intentionally basic; I'm hoping someone will step in and provide an ncurses or graphical interface. It is, however, quite functional.

While Mason has basic support for the sunrpc, mount, and nfs ports, these are hardwired in. At some point I'll have to poll the sunrpc port in a specified list of machines to provide more flexible support for sunrpc services.

Closing:
For all the features listed above, Mason does its work with almost no user effort. One just needs to leave it learning for a while while you run your standard programs. Once the firewall is completed, you may even wish to leave Mason running after telling to it make all new rules DENY or REJECT rules; the new rules Mason gives out will tell you where someone might be trying to break in, or where a legitimate user might be using a new protocol. You have the final say on the rules Mason provides; at any point you can edit the rule files and delete or modify anything with which you disagree.

This is not a polished release; there are still some rough points. Because of the large number of features recently added, the documentation is lagging behind the code. Feedback, suggestions, bug reports and patches are welcome; please email them to wstearns@pobox.com .

Mason is provided under the GNU General Public License, and is therefore provided at no cost. The entire package, with the exception of the included nmap-services file, is Copyright (c) 1998-1999 by William Stearns (wstearns@pobox.com).

The permanent URL for the software is http://www.pobox.com/~wstearns/mason/. The RPM can also be downloaded from ftp://contrib.redhat.com/noarch/noarch/

Cheers,
- Bill