VanLUG Email Archive
Kevin Chu (kevin@portal.ca)
Fri, 02 Apr 1999 23:09:06 -0800
This came over the Red Hat announce list. Thought the readership here
might find it interesting.
Kevin
William Stearns wrote:
> Good day, all,
> This will just be a short announcement of a free/GPL tool that may
> be of interest to anyone using or considering the use of Linux machines as
> firewalls.
>
> Mason is a tool that helps create a custom Linux packet filtering
> firewall. One starts up Mason on the machine(s) that need to do packet
> filtering, then does all the normal things that this neetwork needs to
> allow or deny. Mason creates ipchains/ipfwadm rules that can be used in a
> finished firewall. It includes support files to provide a rudimentary
> menu for building and a shell that implements the current firewall in SysV
> boot scripts used in most Linux distributions.
> Mason is not for the user that wants a prebuilt firewall that
> installs without effort. A number of those are available on the Internet
> already. Mason is perfect for:
> - Someone trying to build a "default deny" firewall. *1
> - Someone that wants very tight control over exactly which
> protocols are allowed in/out/through a machine.
> - Someone with a partial firewall that is having trouble coming up
> with the right rules for a few tricky protocols.
> - Machines that don't match the design of the prebuilt firewalls.
> - Implementing firewalls on routers _and_ individual workstations or
> servers
> - machines that have typically lacked their own individual
> firewalls in the past.
>
> *1 Also works well for "default allow"; during the training phase, you
> teach Mason about all the protocols you want to _block_. Or teach Mason
> about both protocols to allow _and_ protocols to block.
>
> Features support for:
> Ipfwadm and ipchains systems *2 (2.0.x-2.2.x kernels), preliminary
> support for Cisco access-list output *2, ip, tcp, udp, icmp, support for
> gre/ipip tunneling in testing, automatic generalization of client and
> server port ranges *2, automatic generalization of client and server IP's
> to match your routing table *2, ability to customize which protocols have
> their client and server ip's generalized *2, networks where packets go out
> on one interface and responses come back on another, any network device
> supported by Linux, interfaces with dynamic IP addresses *2, blocking all
> access to/from certain IP's or networks *2, blocking all incoming access to
> certain protocols *2, automatic setting of TOS flag, automatic setting of
> the ACK (Cisco: established) flag for all TCP protocols except ftp data
> and high port-high port connections, runs on any Linux architecture, tars
> and pgp signed rpms available, debian packages coming soon, written as
> bash shell scripts.
> Automatic recognition of the quirks in the following protocols:
> ssh, nfs/sunrpc/mount (needs more testing), ftp, X, openwindows, vnc, irc,
> traceroute, ip masquerading, realaudio, dns, syslog, netbios, ntp, coda.
> Automatically handles the standard protocols such as http, smtp, nntp,
> pop2/3, imap, https, telnet, etc.
>
> *2 Customizable by a configuration file.
>
> Requirements:
> Runs on any Linux distribution, any hardware architecture. It
> does require the following built into the Linux kernel: firewalling,
> IP firewalling, firewall packet logging. Most current distributions have
> these by default. As with all Linux firewalls, the "always defragment"
> option is strongly recommended.
> The installation process does assume a SysV layout; Slackware
> users may have to install the program files manually.
>
> Limitations:
> The user interface is intentionally basic; I'm hoping someone will
> step in and provide an ncurses or graphical interface. It is, however,
> quite functional.
> While Mason has basic support for the sunrpc, mount, and nfs
> ports, these are hardwired in. At some point I'll have to poll the sunrpc
> port in a specified list of machines to provide more flexible support for
> sunrpc services.
>
> Closing:
> For all the features listed above, Mason does its work with almost
> no user effort. One just needs to leave it learning for a while while you
> run your standard programs. Once the firewall is completed, you may even
> wish to leave Mason running after telling to it make all new rules DENY or
> REJECT rules; the new rules Mason gives out will tell you where someone
> might be trying to break in, or where a legitimate user might be using a
> new protocol. You have the final say on the rules Mason provides; at any
> point you can edit the rule files and delete or modify anything with which
> you disagree.
> This is not a polished release; there are still some rough points.
> Because of the large number of features recently added, the documentation
> is lagging behind the code. Feedback, suggestions, bug reports and
> patches are welcome; please email them to
> wstearns@pobox.com .
> Mason is provided under the GNU General Public License, and is
> therefore provided at no cost. The entire package, with the exception of
> the included nmap-services file, is Copyright (c) 1998-1999 by William
> Stearns (wstearns@pobox.com).
> The permanent URL for the software is
> http://www.pobox.com/~wstearns/mason/ . The RPM can also be downloaded
> from
> ftp://contrib.redhat.com/noarch/noarch/
> Cheers,
> - Bill
>
> ---------------------------------------------------------------------------
> "Toleration is an inner personal disposition, is a fundamental
> requirement of being human and of living together in society . . .When
> toleration becomes indifference, it is ruined."
> -- Van Ruler
> (Courtesy of Tim Hawes <thawes@dma.org>)
> --------------------------------------------------------------------------
> William Stearns (wstearns@pobox.com)
> Mason, Buildkernel, and named2hosts are at: http://www.pobox.com/~wstearns
> --------------------------------------------------------------------------
>
> --
> To unsubscribe:
> mail -s unsubscribe redhat-announce-list-request@redhat.com < /dev/null
-- Kevin Chu kevin@portal.ca http://members.tripod.com/~super_kevin/
This archive was generated by hypermail 2.0b3 on Fri 02 Apr 1999 - 23:12:57 PST