William Stearns
writes:
Good day, all,
This will just be a short announcement of a free/GPL tool that
may be of interest to anyone using or considering the use of Linux
machines as firewalls.
Mason is a tool that helps create a custom Linux packet
filtering firewall. One starts up Mason on the machine(s) that need
to do packet filtering, then does all the normal things that this
neetwork needs to allow or deny. Mason creates ipchains/ipfwadm
rules that can be used in a finished firewall. It includes support
files to provide a rudimentary menu for building and a shell that
implements the current firewall in SysV boot scripts used in most
Linux distributions.
Mason is not for the user that wants a prebuilt firewall that
installs without effort. A number of those are available on the
Internet already. Mason is perfect for:
- Someone trying to build a “default deny” firewall. *1
- Someone that wants very tight control over exactly which
protocols are allowed in/out/through a machine. - Someone with a partial firewall that is having trouble coming
up with the right rules for a few tricky protocols. - Machines that don’t match the design of the prebuilt
firewalls. - Implementing firewalls on routers _and_ individual workstations
or servers – machines that have typically lacked their own
individual firewalls in the past.
*1 Also works well for “default allow”; during the training
phase, you teach Mason about all the protocols you want to _block_.
Or teach Mason about both protocols to allow _and_ protocols to
block.
Features support for:
Ipfwadm and ipchains systems *2 (2.0.x-2.2.x kernels), preliminary
support for Cisco access-list output *2, ip, tcp, udp, icmp,
support for gre/ipip tunneling in testing, automatic generalization
of client and server port ranges *2, automatic generalization of
client and server IP’s to match your routing table *2, ability to
customize which protocols have their client and server ip’s
generalized *2, networks where packets go out on one interface and
responses come back on another, any network device supported by
Linux, interfaces with dynamic IP addresses *2, blocking all access
to/from certain IP’s or networks *2, blocking all incoming access
to certain protocols *2, automatic setting of TOS flag, automatic
setting of the ACK (Cisco: established) flag for all TCP protocols
except ftp data and high port-high port connections, runs on any
Linux architecture, tars and pgp signed rpms available, debian
packages coming soon, written as bash shell scripts.
Automatic recognition of the quirks in the following protocols:
ssh, nfs/sunrpc/mount (needs more testing), ftp, X, openwindows,
vnc, irc, traceroute, ip masquerading, realaudio, dns, syslog,
netbios, ntp, coda. Automatically handles the standard protocols
such as http, smtp, nntp, pop2/3, imap, https, telnet, etc.
*2 Customizable by a configuration file.
Requirements:
Runs on any Linux distribution, any hardware architecture. It does
require the following built into the Linux kernel: firewalling, IP
firewalling, firewall packet logging. Most current distributions
have these by default. As with all Linux firewalls, the “always
defragment” option is strongly recommended.
The installation process does assume a SysV layout; Slackware
users may have to install the program files manually.
Limitations:
The user interface is intentionally basic; I’m hoping someone will
step in and provide an ncurses or graphical interface. It is,
however, quite functional.
While Mason has basic support for the sunrpc, mount, and nfs
ports, these are hardwired in. At some point I’ll have to poll the
sunrpc port in a specified list of machines to provide more
flexible support for sunrpc services.
Closing:
For all the features listed above, Mason does its work with almost
no user effort. One just needs to leave it learning for a while
while you run your standard programs. Once the firewall is
completed, you may even wish to leave Mason running after telling
to it make all new rules DENY or REJECT rules; the new rules Mason
gives out will tell you where someone might be trying to break in,
or where a legitimate user might be using a new protocol. You have
the final say on the rules Mason provides; at any point you can
edit the rule files and delete or modify anything with which you
disagree.
This is not a polished release; there are still some rough
points. Because of the large number of features recently added, the
documentation is lagging behind the code. Feedback, suggestions,
bug reports and patches are welcome; please email them to
wstearns@pobox.com .
Mason is provided under the GNU General Public License, and is
therefore provided at no cost. The entire package, with the
exception of the included nmap-services file, is Copyright (c)
1998-1999 by William Stearns (wstearns@pobox.com).
The permanent URL for the software is http://www.pobox.com/~wstearns/mason/.
The RPM can also be downloaded from ftp://contrib.redhat.com/noarch/noarch/
Cheers,
– Bill