LinuxMonth: Designing Mason [firewall] Rulesets for Multiple MachinesMar 26, 2000, 16:57 (0 Talkback[s])
(Other stories by Robert S. Goldstein)
[ Thanks to Baiju Thakkar for this link. ]
"Earlier this month, Mason was introduced to you, giving you the ability to produce a packet filtering firewall. With the help of that article, you were able to begin securing your machine while allowing everyone who uses it to be able to do what they need to do. Now let's see if we can't make it so that you do not have to take as long to do this task on another machine with the same or even one with a little different needs."
"Examine what you have now. This means to take the baserules file (/var/lib/mason/baserules) that you generated already and try to clean it up a little bit, but first make a copy of this baserules file to another directory (say /root or /tmp). This will allow you to have a backup of the working version before you start, just in case of a mess up while moving rules around (you would have to copy this baserules back to /var/lib/mason in the event of this). You may also find it useful to make a printout of the baserules file from time to time so you can see all of the rules in a hard copy format which you can markup."
"Now it is time to start cleaning up of the rules. In the baserules file (/var/lib/mason/baserules), start grouping the rules together by their rule counterparts; for example group all of the icmp input rules with their respective icmp output rules. Then start grouping the rules by their services/functions, for example all of the rules used for web access (i.e., http,https), telnet (i.e., telnet,auth), ftp (ftp,ftp-data,auth). By doing this you will be able to help yourself in doing the next task, which is the more challenging part; making the baserules you have for one machine work on another machine."