1
by Jeff Licquia
Import upstream version 0.13.0.92 |
1 |
The Mason HOWTO |
2 |
William Stearns wstearns@pobox.com |
|
3 |
||
1.1.1
by Thomas Scheffczyk
Import upstream version 1.0.0 |
4 |
v1.0.0, May 2002 |
1
by Jeff Licquia
Import upstream version 0.13.0.92 |
5 |
|
6 |
This describes the basic operation of Mason and its use in creating |
|
7 |
firewalls under Linux. |
|
8 |
||
9 |
______________________________________________________________________ |
|
10 |
||
11 |
Table of Contents |
|
12 |
||
13 |
||
14 |
||
15 |
||
16 |
||
17 |
||
18 |
||
19 |
||
20 |
||
21 |
||
22 |
||
23 |
||
24 |
||
25 |
||
26 |
||
27 |
||
28 |
||
29 |
||
30 |
||
31 |
||
32 |
||
33 |
||
34 |
||
35 |
||
36 |
||
37 |
||
38 |
||
39 |
||
40 |
||
41 |
||
42 |
||
43 |
||
44 |
||
45 |
||
46 |
||
47 |
||
48 |
||
49 |
||
50 |
||
51 |
||
52 |
||
53 |
||
54 |
||
55 |
||
56 |
||
57 |
||
58 |
||
59 |
||
60 |
||
61 |
||
62 |
||
63 |
||
64 |
||
65 |
||
66 |
||
67 |
1. Formalities |
|
68 |
||
69 |
1.1 Disclaimer |
|
70 |
1.2 Copyleft |
|
71 |
||
72 |
2. Introduction |
|
73 |
||
74 |
2.1 Background and motivation |
|
75 |
2.2 Basic theory of operation |
|
76 |
2.3 Compatibility and requirements |
|
77 |
2.4 Features |
|
78 |
||
79 |
3. Quickstart |
|
80 |
||
81 |
3.1 Make sure the system is already pretty secure. |
|
82 |
3.2 Install the Mason package |
|
83 |
3.3 Prepare /etc/services |
|
84 |
3.4 Prepare /etc/hosts |
|
85 |
3.5 Prepare the routing table and interfaces |
|
86 |
3.6 Check the configuration file |
|
87 |
3.7 Place any known rules in /var/lib/mason/baserules |
|
88 |
3.8 Run mason-gui-text |
|
89 |
3.9 Tell your boss that you're going to need a few weeks to build this. |
|
90 |
3.10 Implement the final firewall. |
|
91 |
||
92 |
4. Special considerations |
|
93 |
||
94 |
4.1 Kernel |
|
95 |
4.2 Ipfw, Ipfwadm, Ipchains, and Iptables |
|
96 |
4.3 DNS |
|
97 |
4.4 Rule order |
|
98 |
4.5 Generalization |
|
99 |
4.6 Router or end node |
|
100 |
4.7 Slow machines or fast nics |
|
101 |
4.8 Active hacking while mason running |
|
102 |
4.9 Masquerading |
|
103 |
4.10 Offline and non-root creation |
|
104 |
4.11 /etc/services and special ports |
|
105 |
4.12 Insert vs. append |
|
106 |
4.13 Allow versus deny and reject |
|
107 |
4.14 Input, Output, and Forwarding |
|
108 |
4.15 Remote firewall creation - Telnet/ssh lockout |
|
109 |
4.16 Ack flag |
|
110 |
4.17 Limitations, Ideas and future enhancements |
|
111 |
||
112 |
5. Configuring Mason |
|
113 |
||
114 |
6. IP protocols and their firewall characteristics |
|
115 |
||
116 |
6.1 Standard TCP and UDP protocols |
|
117 |
6.2 ICMP |
|
118 |
6.3 DNS |
|
119 |
6.4 FTP |
|
120 |
6.5 Netbios |
|
121 |
6.6 NTP |
|
122 |
6.7 SSH |
|
123 |
6.8 Other IP protocols |
|
124 |
||
1.1.1
by Thomas Scheffczyk
Import upstream version 1.0.0 |
125 |
7. Version summary (out of date, sorry) |
1
by Jeff Licquia
Import upstream version 0.13.0.92 |
126 |
|
127 |
8. Advanced scenarios |
|
128 |
||
129 |
8.1 General approach |
|
130 |
8.2 Ordering rules |
|
131 |
8.3 Tips and tricks |
|
132 |
||
133 |
9. Notes about Mason itself |
|
134 |
||
135 |
9.1 File descriptions |
|
136 |
||
137 |
10. Additional resources |
|
138 |
||
139 |
11. Authors, credits, feedback, copyright, how to help! |
|
140 |
||
141 |
11.1 Thanks |
|
142 |
||
143 |
||
144 |
______________________________________________________________________ |
|
145 |
||
146 |
1. Formalities |
|
147 |
||
148 |
1.1. Disclaimer |
|
149 |
||
150 |
---------------If you read nothing else, please read |
|
151 |
this---------------- |
|
152 |
||
153 |
This program offers an aid to creating firewall rules. It offers |
|
154 |
ABSOLUTELY NO intelligence in deciding what should be allowed or |
|
155 |
disallowed. It has ABSOLUTELY NO ability to understand your security |
|
156 |
policy and implement it. YOU are responsible for reviewing the rules |
|
157 |
and massaging them to fit your needs. |
|
158 |
||
159 |
While this documentation attempts to provide some general guidelines |
|
160 |
on how to use Mason, please remember: the author has no knowledge of |
|
161 |
what you want your firewall to do and has not tailored the |
|
162 |
documentation or program to specially fit your needs. If there is |
|
163 |
ever a discrepancy between your needs and the program output or your |
|
164 |
needs and the documentation, the program and/or documentation are |
|
165 |
_dead_ _wrong_. |
|
166 |
||
167 |
||
168 |
1.2. Copyleft |
|
169 |
||
170 |
Mason interactively creates a Linux packet filtering firewall. |
|
171 |
||
1.1.1
by Thomas Scheffczyk
Import upstream version 1.0.0 |
172 |
Copyright (C) 1998-2002 William Stearns wstearns@pobox.com |
1
by Jeff Licquia
Import upstream version 0.13.0.92 |
173 |
|
174 |
This program is free software; you can redistribute it and/or modify |
|
175 |
it under the terms of the GNU General Public License as published by |
|
176 |
the Free Software Foundation; either version 2 of the License, or (at |
|
177 |
your option) any later version. |
|
178 |
||
179 |
This program is distributed in the hope that it will be useful, but |
|
180 |
WITHOUT ANY WARRANTY; without even the implied warranty of |
|
181 |
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU |
|
182 |
General Public License for more details. |
|
183 |
||
184 |
You should have received a copy of the GNU General Public License |
|
185 |
along with this program; if not, write to the Free Software |
|
186 |
Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. |
|
187 |
||
188 |
The author can also be reached at: |
|
189 |
||
190 |
||
191 |
wstearns@pobox.com (preferred) |
|
192 |
||
193 |
web |
|
1.1.1
by Thomas Scheffczyk
Import upstream version 1.0.0 |
194 |
http://www.stearns.org/mason/ |
1
by Jeff Licquia
Import upstream version 0.13.0.92 |
195 |
|
196 |
snail |
|
197 |
||
198 |
||
199 |
William Stearns |
|
1.1.1
by Thomas Scheffczyk
Import upstream version 1.0.0 |
200 |
6 Manchester Dr. |
201 |
Lebanon NH, 03766, USA |
|
1
by Jeff Licquia
Import upstream version 0.13.0.92 |
202 |
|
203 |
||
204 |
||
205 |
This code is entirely owned by William Stearns (wstearns@pobox.com) |
|
206 |
and has no relation to any employer or employer sponsored project. |
|
207 |
||
208 |
||
209 |
2. Introduction |
|
210 |
||
211 |
||
212 |
"If you have not checked out Mason, I highly recommend it. |
|
213 |
Mason is a Linux based firewall, but none like you've ever |
|
214 |
used. In short, you put Mason into learning mode and run |
|
215 |
the services to the Internet you wish to support. Mason will |
|
216 |
then take these log entries and turn them into a set of |
|
217 |
packet filtering rules. Pretty cool eh? No ACK compliment |
|
218 |
rules to worry about, no "what was that service port again?" |
|
219 |
decisions to worry about, simply plug it in, let it learn |
|
220 |
and off you go. :)" |
|
221 |
||
222 |
||
223 |
- - Chris Brenton, cbrenton@sover.net |
|
224 |
||
225 |
||
226 |
The Mason script interactively builds a (fire)wall on a Linux machine. |
|
227 |
For more details about how this is done, please read on for |
|
228 |
background, theory of operation, a quick start, and additional |
|
229 |
documentation on firewalls and firewall gotcha's. |
|
230 |
||
231 |
mason.txt and related documentation should have been installed to |
|
232 |
/usr/doc/mason-{version}/ . If they are missing or you would like to |
|
233 |
make sure you have the latest version, please go to |
|
1.1.1
by Thomas Scheffczyk
Import upstream version 1.0.0 |
234 |
http://www.stearns.org/mason/ . |
1
by Jeff Licquia
Import upstream version 0.13.0.92 |
235 |
|
236 |
The impatient should go right to the ``Quickstart''. |
|
237 |
||
238 |
||
239 |
2.1. Background and motivation |
|
240 |
||
241 |
The built-in firewall features of the Linux kernel offer a powerful |
|
242 |
set of packet filtering features that can be used to build a firewall. |
|
243 |
The various pieces of available documentation provide an introduction |
|
244 |
on how to configure the firewall for simple setups, but can't possibly |
|
245 |
explain how to configure a firewall for more complex setups, including |
|
246 |
fine-grained allow and deny lists. This is especially obvious when |
|
247 |
trying to create a firewall with a default policy of deny. |
|
248 |
||
249 |
Someone looking to configure a linux firewall is simultaneously hit |
|
250 |
with the complexity of trying to understand the ipfwadm syntax, trying |
|
251 |
to understand the structure of TCP/IP connections, and trying to |
|
252 |
create and implement a security policy. No wonder firewalls are |
|
253 |
daunting! |
|
254 |
||
255 |
The Mason application attempts to handle the first two problems by |
|
256 |
dynamically creating the firewall based on the traffic flowing through |
|
257 |
it. For example, if you start up a telnet session through your |
|
258 |
firewall from a machine on your LAN to a machine out on the WAN while |
|
259 |
mason is running, mason will create all the rules necessary to allow |
|
260 |
this traffic. |
|
261 |
||
262 |
Conversely, if you're looking to block incoming NFS requests, simply |
|
263 |
launch mason, select a "deny" or "reject" policy, and make the NFS |
|
264 |
connection. When the firewall is restarted, voila! No more incoming |
|
265 |
NFS. |
|
266 |
||
1.1.1
by Thomas Scheffczyk
Import upstream version 1.0.0 |
267 |
Creating a firewall no longer requires understanding the ipfwadm, |
268 |
ipchains or iptables syntax. Even novices can create a firewall under |
|
269 |
Linux. _HOWEVER_, creating a _good_ firewall _still_ requires some |
|
270 |
understanding of TCP/IP protocols and packet filtering. Many good |
|
271 |
books cover this. Check out O'Reilly and Associates ( |
|
272 |
http://www.ora.com or http://www.oreilly.com ) for some excellent |
|
1
by Jeff Licquia
Import upstream version 0.13.0.92 |
273 |
general coverage of firewall designs. |
274 |
||
275 |
One last novice's mistake I'd like to see Mason users avoid is the |
|
276 |
false sense of security that a firewall can provide. _Truly_ securing |
|
277 |
a system or network requires _much_ more than simply filtering |
|
278 |
packets. The aforementioned books provide a great background in |
|
279 |
general security. |
|
280 |
||
281 |
||
282 |
2.2. Basic theory of operation |
|
283 |
||
284 |
Before starting, if the user has some rules that he or she knows |
|
285 |
should be used in this machine, these can be added to |
|
286 |
/var/lib/mason/baserules. As part of the process of running Mason, |
|
287 |
we'll add rules that log all other packets to /var/log/messages. The |
|
288 |
"tail" command is used to feed these log messages into Mason, which |
|
289 |
converts each log entry into the corresponding command necessary to |
|
290 |
allow that kind of traffic. In the previous telnet example, 6 |
|
291 |
different firewall rules would be created on the firewall, three for |
|
1.1.1
by Thomas Scheffczyk
Import upstream version 1.0.0 |
292 |
the original request packet, 3 for the response back from the server |
293 |
(just 1 or 2 in iptables firewalls): |
|
294 |
||
1
by Jeff Licquia
Import upstream version 0.13.0.92 |
295 |
|
296 |
pkt 1: Allow telnet request in from LAN |
|
297 |
pkt 1: Forward request through firewall |
|
298 |
pkt 1: Allow request to exit to WAN |
|
299 |
pkt 2: Allow telnet response back into firewall from WAN |
|
300 |
pkt 2: Forward response through system |
|
301 |
pkt 2: Allow response to exit back to the original machine on the LAN. |
|
302 |
||
303 |
||
304 |
||
305 |
All packets from 3 on are handled by these rules. There may be a |
|
306 |
short delay in the initial connection as the rules are created. |
|
307 |
||
1.1.1
by Thomas Scheffczyk
Import upstream version 1.0.0 |
308 |
The script creates the actual ipfwadm/ipchains/iptables commands to |
309 |
accomodate the packet flow. When the command is executed the new rule |
|
310 |
is inserted at the head of the existing rules so that future packets |
|
311 |
of this type no longer reach the logging rule at the bottom. |
|
1
by Jeff Licquia
Import upstream version 0.13.0.92 |
312 |
|
313 |
The rules are also echoed to the console so that you can see the rules |
|
314 |
as they are executed or redirect them to a file. This process is |
|
315 |
handled automatically by mason-gui-text. |
|
316 |
||
317 |
If any of this is unclear, take a look at the ``Quickstart'' which |
|
318 |
walks you through actually running it. It'll make more sense when you |
|
319 |
see it in action. |
|
320 |
||
321 |
||
322 |
2.3. Compatibility and requirements |
|
323 |
||
324 |
||
325 |
o Distributions |
|
326 |
||
1.1.1
by Thomas Scheffczyk
Import upstream version 1.0.0 |
327 |
o Heavily tested on RedHat 5.x, 6.x, and 7.x |
1
by Jeff Licquia
Import upstream version 0.13.0.92 |
328 |
|
329 |
o Compatible with Debian 2.x |
|
330 |
||
331 |
o Probably works with Slackware |
|
332 |
||
333 |
o Probably works with Suse, but you need to choose between the |
|
334 |
default /etc/rc.d/init.d/firewall and the one included with Mason |
|
335 |
||
336 |
o Requirements |
|
337 |
||
338 |
o Bash 1.x or 2.x |
|
339 |
||
340 |
o Standard system utilities: awk, cat, chmod, cut, grep, head, |
|
341 |
ifconfig, mkdir, ps, route, sed, sleep, sort, tail, touch, tr, |
|
342 |
true, uniq and wc |
|
343 |
||
344 |
o A kernel that supports packet filtering and packet logging (kernel |
|
1.1.1
by Thomas Scheffczyk
Import upstream version 1.0.0 |
345 |
2.0's ipfwadm, kernel 2.2's ipchains, or 2.4's iptables) |
1
by Jeff Licquia
Import upstream version 0.13.0.92 |
346 |
|
1.1.1
by Thomas Scheffczyk
Import upstream version 1.0.0 |
347 |
o The ipchains, ipfwadm or iptables binaries. |
1
by Jeff Licquia
Import upstream version 0.13.0.92 |
348 |
|
349 |
o Things Mason doesn't care about |
|
350 |
||
351 |
o Hardware architecture (i386, Axp, Sparc...) |
|
352 |
||
353 |
o Number or type of interfaces |
|
354 |
||
1.1.1
by Thomas Scheffczyk
Import upstream version 1.0.0 |
355 |
o Whether the machine is a router or end-node (a normal server or |
356 |
workstation). |
|
1
by Jeff Licquia
Import upstream version 0.13.0.92 |
357 |
|
358 |
||
359 |
||
360 |
2.4. Features |
|
361 |
||
362 |
Mason supports the following: (see the release notes for additional |
|
363 |
features) |
|
364 |
||
1.1.1
by Thomas Scheffczyk
Import upstream version 1.0.0 |
365 |
o It accepts any mix of ipchains, ipfwadm or iptables log entries as |
366 |
input. |
|
367 |
||
368 |
o It can run on an ipfwadm, ipchains or iptables kernel. |
|
369 |
||
370 |
o It can spit out ipfwadm, ipchains or iptables output. |
|
371 |
||
372 |
o In theory, the above 3 are independent from each other. Mason can, |
|
373 |
for example, accept ipchains and ipfwadm log entries, run on an |
|
374 |
ipfwadm host, and output ipchains rules. Unfortunately, the |
|
375 |
structure and design of an iptables firewall is sufficiently |
|
376 |
different from ipfwadm and ipchains firewalls that you can't |
|
377 |
automatically convert back and forth. |
|
1
by Jeff Licquia
Import upstream version 0.13.0.92 |
378 |
|
379 |
o It will run on the firewall machine or on another machine, using |
|
380 |
the firewall's packet logs as input. |
|
381 |
||
382 |
o It can run as the traffic is flowing through the machine or be fed |
|
383 |
the firewall logs later. |
|
384 |
||
385 |
o While there are some advantages to running as root, it can be run |
|
386 |
as a non-root user. |
|
387 |
||
388 |
o Mason will put in a macro for dynamic IP addresses, usually for |
|
389 |
your ppp link. |
|
390 |
||
391 |
o It supports any kind of interface that can carry TCP/IP traffic. |
|
392 |
||
393 |
o It recognizes any protocol listed in /etc/services and commonly |
|
394 |
used icmp protocols. |
|
395 |
||
1.1.1
by Thomas Scheffczyk
Import upstream version 1.0.0 |
396 |
|
1
by Jeff Licquia
Import upstream version 0.13.0.92 |
397 |
o It automatically handles setups such as cable modem or satellite |
398 |
where the packets go out on one interface and come back on another. |
|
399 |
||
400 |
o It automatically handles masquerading on the firewall and the |
|
401 |
strange rules that can require. |
|
402 |
||
403 |
o It allows you to put in any rules you may know you need and fills |
|
404 |
in the rest, or just builds the entire thing for you if you prefer. |
|
405 |
It can also be used after a firewall has been created to fill in |
|
406 |
some new rules or new protocols. |
|
407 |
||
408 |
o It automatically generalizes the firewall rules in the following |
|
409 |
ways: |
|
410 |
||
411 |
o Any local IP addresses are converted to the corresponding local |
|
412 |
network. Special IP's (0.0.0.0, 127.0.0.1, 255.255.255.255) are |
|
413 |
handled appropriately. Mason can also be configured to leave |
|
414 |
addresses alone or convert them to hostnames. This gives you the |
|
415 |
ability to either treat all machines in a subnet as having equal |
|
416 |
access rights or create fine-grained access rules for individual |
|
417 |
servers, as you choose. |
|
418 |
||
419 |
o Non-local IP's are converted to 0/0 (anywhere). |
|
420 |
||
421 |
o Port numbers in /etc/services are converted to the corresponding |
|
422 |
service name. |
|
423 |
||
424 |
o High port numbers are generalized to 1024:65535. The special port |
|
425 |
needs of ssh, traceroute, nfs, ip masquerading, irc, x, |
|
426 |
openwindows, and vnc are handled automatically. |
|
427 |
||
428 |
o The ack flag is set for all tcp connections except for ftp. |
|
429 |
||
430 |
o The TOS (type Of Service) flag is set for ftp, ftp-data, imap, irc, |
|
431 |
nntp, pop, ssh, snmp, and telnet to improve interactive performance |
|
432 |
by queuing interactive packets ahead of bulk transfer packets. |
|
433 |
||
434 |
o Each output line is commented to give you an idea of what it's for |
|
435 |
and allow for easy grouping via sort. |
|
436 |
||
437 |
o The rule policy can be changed on the fly without having to stop |
|
438 |
Mason. |
|
439 |
||
440 |
o Because Mason is a shell script, it can run on any system with bash |
|
441 |
and basic GNU tools (sed, awk, grep, etc.). Actually creating the |
|
1.1.1
by Thomas Scheffczyk
Import upstream version 1.0.0 |
442 |
firewall log entries, interactively building the firewall, or |
1
by Jeff Licquia
Import upstream version 0.13.0.92 |
443 |
implementing the finished firewall needs requires a Linux system |
444 |
with appropriate kernel (generally 2.0.0 and up, including 2.1.x |
|
445 |
and 2.2.x) with firewalling and firewall packet logging built in. |
|
446 |
||
1.1.1
by Thomas Scheffczyk
Import upstream version 1.0.0 |
447 |
o Thanks to Don Howard howarddj@bigvax.alfred.edu, Mason 0.12.0 and |
448 |
above have initial support for creating Cisco ACL's. The support |
|
449 |
is not truly complete, and hence untested. It needs someone that's |
|
450 |
interested in working with me on the project before it's complete. |
|
1
by Jeff Licquia
Import upstream version 0.13.0.92 |
451 |
|
1.1.1
by Thomas Scheffczyk
Import upstream version 1.0.0 |
452 |
o A rather extensive manual/howto/notes file covers operating Mason |
1
by Jeff Licquia
Import upstream version 0.13.0.92 |
453 |
and some issued associated with packet filtering firewalls. Good |
454 |
reading for anyone trying to understand some of the more advanced |
|
455 |
topics in packet filtering firewalls. |
|
456 |
||
457 |
o automatically makes masq rules for reserved addresses |
|
458 |
||
459 |
o icmp subcodes |
|
460 |
||
461 |
o support for ip tunneling, cipe and a number of other protocols |
|
462 |
||
463 |
o removal of the namecache (no longer needed) |
|
464 |
||
465 |
o mason now stops logging packets quickly while it does the main |
|
466 |
processing |
|
467 |
||
468 |
o stop using ipcalc to calculate broadcast |
|
469 |
||
470 |
o don't touch /etc/hosts or /etc/services |
|
471 |
||
472 |
o more Debian integration and two man pages (Thanks, Jeff!) |
|
473 |
||
474 |
o support for ipchains-save output format |
|
475 |
||
476 |
o support for --sport and --dport (Thanks, Rusty!) |
|
477 |
||
478 |
o major documentation updates |
|
479 |
||
480 |
o the ability to add packet counts to each rule, sorting the most |
|
1.1.1
by Thomas Scheffczyk
Import upstream version 1.0.0 |
481 |
commonly used rules to the top (ipfwadm and ipchains only; iptables |
482 |
no longer requires this). |
|
1
by Jeff Licquia
Import upstream version 0.13.0.92 |
483 |
|
484 |
o misc. bug fixes and performance improvements |
|
485 |
||
486 |
o fixes to the Cisco output format |
|
487 |
||
488 |
o the ability to generalize the ack rules for tcp connections, |
|
1.1.1
by Thomas Scheffczyk
Import upstream version 1.0.0 |
489 |
cutting 25%-35% of the rules |
490 |
||
491 |
o an internal checkpointing ability to help in debugging |
|
492 |
||
493 |
o Mason can find the smallest subnet that encompasses the ips found |
|
494 |
on a dynamic interface |
|
1
by Jeff Licquia
Import upstream version 0.13.0.92 |
495 |
|
496 |
o and no_outgoing_ protocols |
|
497 |
||
498 |
||
499 |
3. Quickstart |
|
500 |
||
501 |
This document is designed to help people who are unfamiliar with Mason |
|
502 |
build a firewall using it. A novice user should be able to start |
|
503 |
building a basic firewall using these instructions in 20 minutes. |
|
504 |
||
505 |
______________________________________________________________________ |
|
506 |
#include <disclaimer.h> |
|
507 |
______________________________________________________________________ |
|
508 |
||
509 |
||
510 |
||
511 |
||
512 |
3.1. Make sure the system is already pretty secure. |
|
513 |
||
514 |
See the Linux security sites and the Linux Administrators Security |
|
515 |
Guide for more info. A strict packet filtering firewall is useless if |
|
516 |
someone can get root access somehow; they can just turn off the |
|
517 |
firewall. |
|
518 |
||
519 |
||
520 |
3.2. Install the Mason package |
|
521 |
||
522 |
5 minutes or less. |
|
523 |
||
524 |
If you're using an rpm-based system, type just |
|
525 |
||
1.1.1
by Thomas Scheffczyk
Import upstream version 1.0.0 |
526 |
|
527 |
||
528 |
||
1
by Jeff Licquia
Import upstream version 0.13.0.92 |
529 |
______________________________________________________________________ |
1.1.1
by Thomas Scheffczyk
Import upstream version 1.0.0 |
530 |
rpm -Uvh ftp://www.stearns.org/pub/wstearns/mason/mason-1.0.0-0.noarch.rpm |
1
by Jeff Licquia
Import upstream version 0.13.0.92 |
531 |
______________________________________________________________________ |
532 |
||
533 |
||
534 |
||
535 |
Otherwise, download the latest version to /usr/src, |
|
536 |
||
537 |
______________________________________________________________________ |
|
538 |
cd /usr/src<Enter> |
|
539 |
tar -xzvf mason...tar.gz<Enter> |
|
540 |
cd mason...<Enter> |
|
541 |
make install<Enter> |
|
542 |
______________________________________________________________________ |
|
543 |
||
544 |
||
545 |
||
546 |
||
547 |
3.3. Prepare /etc/services |
|
548 |
||
549 |
Probably mostly done! |
|
550 |
||
551 |
Mason depends on a few setup details to be able to provide a firewall |
|
552 |
that works in the way you intended. Make sure that /etc/services |
|
553 |
includes the server port names for all services you intend to work |
|
554 |
with, whether those services are running on the firewall machine or on |
|
555 |
some other machine. |
|
556 |
||
557 |
For example, if you intend to use ssh to connect to another system, |
|
558 |
make sure that the line |
|
559 |
||
560 |
ssh 22/tcp |
|
561 |
||
562 |
||
563 |
||
564 |
is in /etc/services. Entries that might be missing include: |
|
565 |
||
566 |
ftp-data 20/tcp |
|
567 |
ssh 22/tcp #Secure shell |
|
568 |
linuxconf 98/tcp |
|
569 |
squid 3128/tcp #Squid proxy cache requests |
|
570 |
icp 3130/udp #Inter Cache Protocol, used in squid |
|
571 |
||
572 |
||
573 |
||
574 |
It is not necessary to include entries for services that you don't |
|
575 |
use. Also, do _not_ place entries for _client_ ports in this file; |
|
576 |
Mason assumes anything referenced in this file is a server port. For |
|
577 |
example, even though one of the client ports used for ssh is 1022/tcp, |
|
578 |
you would _not_ place this in /etc/services. Doing so would cause |
|
579 |
Mason to provide incorrect rules. |
|
580 |
||
581 |
If you're not sure which ports are being used as servers on the |
|
582 |
firewall or on other machines on your network, use the "netstat -an | |
|
583 |
less" command on Linux/Unix systems and look for lines with "LISTEN". |
|
584 |
||
585 |
||
586 |
||
587 |
3.4. Prepare /etc/hosts |
|
588 |
||
589 |
Probably mostly done! |
|
590 |
||
591 |
Try to place short names first. You don't have to do this, but the |
|
592 |
firewall will be much more readable in the end if you do. |
|
593 |
||
1.1.1
by Thomas Scheffczyk
Import upstream version 1.0.0 |
594 |
|
1
by Jeff Licquia
Import upstream version 0.13.0.92 |
595 |
Make sure that your /etc/hosts file has at least entries for: |
596 |
||
597 |
o locahost |
|
598 |
||
599 |
o the ip addresses of all interfaces on your firewall |
|
600 |
||
601 |
o all the networks in your routing table except 0.0.0.0. |
|
602 |
||
603 |
o all dns servers |
|
604 |
||
605 |
o any other hosts that Mason might treat specially |
|
606 |
||
607 |
For example: |
|
608 |
||
609 |
127.0.0.1 localhost |
|
610 |
172.16.0.1 fwall-inside bastion bastion.mydomain.org |
|
611 |
12.13.14.15 fwall-outside |
|
612 |
172.16.0.0 INSIDE #I use all caps to distinguish networks from normal IP's. |
|
613 |
12.13.14.0 OUTSIDE |
|
614 |
12.13.16.10 myisp-dns1 |
|
615 |
12.13.16.11 myisp-dns2 |
|
616 |
12.13.14.44 ntp bonzo bonzo.mydomain.org |
|
617 |
||
618 |
||
619 |
||
620 |
||
621 |
3.5. Prepare the routing table and interfaces |
|
622 |
||
623 |
Probably already done! |
|
624 |
||
625 |
Mason assumes that the routing table and interfaces are set up to |
|
626 |
match the way the final firewall will run. If you're running this on |
|
627 |
the actual firewall machine and all the interfaces and networks have |
|
628 |
been configured, proceed to the next step. |
|
629 |
||
630 |
Edit /etc/masonrc on the machine on which Mason will run. Edit the |
|
631 |
line (or add it if it's not there) |
|
632 |
||
633 |
NETWORKS="....." |
|
634 |
||
635 |
||
636 |
Inside the quotes, place the following: |
|
637 |
||
638 |
||
639 |
o All ip addresses of all interfaces for the firewall, each followed |
|
640 |
by /32 . |
|
641 |
||
642 |
o The ip's of any hosts that shouldn't be treated identically to the |
|
643 |
other machines on their respective networks. |
|
644 |
||
645 |
o All networks whose machines the firewall should treat identically. |
|
646 |
||
647 |
For example, if the firewall had IP address 172.16.0.1 on network |
|
648 |
172.16.0.0/255.255.0.0 and IP address 12.13.14.15 on network |
|
649 |
12.13.14.0/255.255.255.0, I would add the following line to |
|
650 |
/etc/networks if I was building the firewall on another machine: |
|
651 |
||
652 |
NETWORKS="127.0.0.1/32 172.16.0.1/32 12.13.14.15/32 172.16.0.0/16 12.13.14.0/24" |
|
653 |
||
654 |
||
655 |
||
656 |
||
657 |
3.6. Check the configuration file |
|
658 |
||
659 |
5 minutes, more if you want to customize. |
|
660 |
||
661 |
The configuration choices in /etc/masonrc are ordered so that the |
|
662 |
fields you'll most likely need to edit are at the top and the really |
|
663 |
obscure ones are at the bottom. |
|
664 |
||
665 |
There are a few setting you must set for Mason to work at all: |
|
666 |
NEWRULEPOLICY, DEFAULTPOLICY, and FLUSHEDPOLICY. If you have no |
|
667 |
firewall at all and are creating one for the first time, set each to |
|
668 |
"ACCEPT". During the learning process, you will have no protection at |
|
669 |
all (all packets will be accepted), but note that this is no _less_ |
|
670 |
secure than a system without a firewall. |
|
671 |
||
672 |
If you want to make the creation process a little more secure, you |
|
673 |
might consider setting one of these to DENY or REJECT; see the |
|
674 |
comments in /etc/masonrc and mason.txt for more info on this. In |
|
675 |
particular, if you are building this remotely via a telnet or ssh |
|
676 |
session, note that setting one of the above to something other than |
|
677 |
ACCEPT before Mason knows about the telnet or ssh traffic almost |
|
678 |
guarantees that you will lose the ability to telnet or ssh to the box |
|
679 |
until it is rebooted from the console. |
|
680 |
||
681 |
If you're in a rush to try out Mason, feel free to set just these |
|
682 |
three fields and continue. The more of the settings you set to match |
|
683 |
your needs, the better the firewall will be at matching your security |
|
684 |
policy in the end. |
|
685 |
||
686 |
||
687 |
||
688 |
3.7. Place any known rules in /var/lib/mason/baserules |
|
689 |
||
690 |
No time for most people. |
|
691 |
||
692 |
If you know some rules you'll need already, put them in this file. |
|
693 |
For example, if you know you'll need to masquerade all traffic from |
|
694 |
the 172.16.0.0/255.255.0.0 network, a sample rule for this is already |
|
695 |
in baserules. |
|
696 |
||
697 |
If you don't know of any, no problem. |
|
698 |
||
699 |
||
700 |
||
701 |
3.8. Run mason-gui-text |
|
702 |
||
703 |
This (admittedly rudimentary) interface helps you build the firewall. |
|
704 |
Choose "BL" (begin learning) and watch mason start to spit out the |
|
705 |
firewall rules that perfectly match your system's network traffic. |
|
706 |
||
707 |
Check that stopwatch - you're building a firewall less than 20 minutes |
|
708 |
from when you started! Give yourself a pat on the back. Mason will |
|
709 |
do a great deal of the rest in the background while you're doing your |
|
710 |
day to day work. |
|
711 |
||
712 |
Do all of the things you want this firewall to support. If you want |
|
713 |
to allow mail to be sent through it, send mail through it. if you |
|
714 |
want to be able to ping it, ping it. If you want to be able to |
|
715 |
traceroute from it, traceroute from it.... You get the idea. |
|
716 |
||
1.1.1
by Thomas Scheffczyk
Import upstream version 1.0.0 |
717 |
Mason will present the new rules that match your networks traffic. |
718 |
For each rule you'll be given the chance to modify the rule or commit |
|
719 |
the rule. Here are the modify choices: |
|
720 |
||
721 |
||
722 |
||
723 |
o Edit manually Edit the rule. You can make any changes you'd |
|
724 |
like to the rule before committing it to the permanent ruleset. |
|
725 |
||
726 |
||
727 |
o Jot Jot a note at the end of the rule. You can enter a |
|
728 |
comment to be placed at the end of the rule. |
|
729 |
||
730 |
o Accept change policy to Accept and commit. Without changing |
|
731 |
any of the rest of the rule, this changes the rule action to Accept |
|
732 |
(let the packet pass) and commits it to the permanent ruleset. |
|
733 |
||
734 |
o Deny change policy to Deny and commit. Like the above, but |
|
735 |
change the policy to Deny (or drop, as appropriate for the firewall |
|
736 |
type; deny and drop discard the packet without sending any error |
|
737 |
message back to the original sender). |
|
738 |
||
739 |
o Masq change policy to Masquerade and commit. Like the |
|
740 |
above, but change the policy to Masquerade. Masquerading allows |
|
741 |
multiple machines to share a single IP address; the more general |
|
742 |
term is "many-to-one NAT". |
|
743 |
||
744 |
o Reject change policy to Reject and commit. Like the above, |
|
745 |
but Reject the packet. Like Deny/Drop, the packet is discarded, |
|
746 |
but Reject sends back an error message to the original sender. |
|
747 |
||
748 |
||
749 |
Here are the commit choices: |
|
750 |
||
751 |
||
752 |
o Postpone Postpone choice. If you can't decide what to do with a |
|
753 |
rule, or don't have the time to decide, choose postpone. This |
|
754 |
saves it to the "newrules" file, which is not used in the firewall |
|
755 |
at boot time. You'll be asked later about any rule choices you |
|
756 |
postponed. |
|
757 |
||
758 |
o Throw away Throw away line. Forget the rule entirely. |
|
759 |
||
760 |
o Blockedhost make this host a BLOCKEDHOST and delete the rule. Good |
|
761 |
if someone's attacking you and you want to shun them entirely. |
|
762 |
||
763 |
o Noincoming make this port a NOINCOMING port and delete the rule. |
|
764 |
This is good for ports that should never be allowed in to your |
|
765 |
network. |
|
766 |
||
767 |
o Commit Commit to the permanent firewall set. Commit the rule |
|
768 |
verbatim. |
|
769 |
||
770 |
o Quit postpone any remaining rules and Quit. Oops, time for |
|
771 |
lunch! Use this to postpone the current rule and any others in the |
|
772 |
queue. |
|
773 |
||
774 |
Once you're happy with a firewall ruleset, stop learning. From the |
|
775 |
main menu you can either Edit the Base ruleset with "EB" or Quit. |
|
776 |
Edit New and Merge Rules are generally not needed and will be removed |
|
777 |
in a future version. |
|
1
by Jeff Licquia
Import upstream version 0.13.0.92 |
778 |
|
779 |
Baserules is reserved for rules that you are _sure_ are correct; only |
|
780 |
these rules get loaded at boot time if you've enabled the firewall |
|
781 |
(run "ntsysv" in RedHat and enable the firewall service, or make the |
|
782 |
appropriate symlink from /etc/rc.d/init.d/firewall to |
|
783 |
/etc/rc.d/rc3.d/S92firewall for other distributions). |
|
784 |
||
785 |
The goal is to have a baserules file that has all of the rules you've |
|
786 |
approved and an empty newrules file. Keep in mind that the firewall |
|
787 |
that will normally be started at boot time _only_ uses rules from |
|
788 |
baserules. |
|
789 |
||
790 |
If you need to step away from the firewall for a minute, choose "LC" |
|
791 |
(lock console) from the main menu. Mason will keep on learning and |
|
792 |
you'll still see the new rules, but that console will be locked. |
|
793 |
You'll need to enter the root password to return to the main menu. |
|
794 |
||
795 |
||
796 |
||
797 |
3.9. Tell your boss that you're going to need a few weeks to build |
|
798 |
this. |
|
799 |
||
800 |
Then head off to Bermuda and bask in the sun while Mason does its |
|
801 |
learning. |
|
802 |
||
803 |
And make sure you have a penguin typing away in your chair so no-one |
|
804 |
is suspicious. |
|
805 |
||
806 |
*grin* |
|
807 |
||
808 |
||
809 |
||
810 |
3.10. Implement the final firewall. |
|
811 |
||
812 |
Once you've let Mason run in the background for a couple of days, are |
|
813 |
confident that you've gotten all of the traffic types this machine |
|
814 |
needs to support, have merged all of the rules to baserules, and are |
|
815 |
confident they are what you want, lock down the firewall. |
|
816 |
||
817 |
In /etc/masonrc, change DEFAULTPOLICY to DENY. If you want to keep |
|
818 |
Mason running to see if any stragglers show up, you'll probably want |
|
819 |
to change NEWRULEPOLICY to DENY as well; this has the effect of |
|
820 |
creating rules for new packet types, but they are DENY rules now. |
|
821 |
||
822 |
Otherwise, just start the standard firewall with: |
|
823 |
/etc/rc.d/init.d/firewall start |
|
824 |
||
825 |
If you've made the symlink in step 7, the firewall will be started |
|
826 |
automatically at boot time. |
|
827 |
||
828 |
||
829 |
||
830 |
4. Special considerations |
|
831 |
||
832 |
4.1. Kernel |
|
833 |
||
834 |
(Please note that most kernels provide the support necessary; it's |
|
835 |
probably safe to check back with this section only if you have |
|
836 |
problems.) |
|
837 |
||
838 |
IP firewalling and firewall packet logging have to be compiled into |
|
839 |
the kernel. To see if IP firewalling is compiled into your kernel, |
|
840 |
type the command: |
|
841 |
||
842 |
______________________________________________________________________ |
|
843 |
ls -al /proc/net/ip_fwchains /proc/net/ip_input |
|
844 |
______________________________________________________________________ |
|
845 |
||
846 |
||
847 |
||
848 |
If ip_fwchains exists, you have ipchains compiled into your kernel. |
|
849 |
If ip_input exists, you have ipfwadmin firewalling compiled into your |
|
1.1.1
by Thomas Scheffczyk
Import upstream version 1.0.0 |
850 |
kernel. If neither file exists, one of the following is true: |
1
by Jeff Licquia
Import upstream version 0.13.0.92 |
851 |
|
852 |
||
853 |
o Your kernel is too old. It appears that linux firewalling switched |
|
854 |
from the old "ipfw" firewalling in 1.3.66, but some features |
|
855 |
require 2.0.0. |
|
856 |
||
857 |
o Your kernel is missing the proc filesystem or it's not mounted |
|
858 |
("mount /proc" will probably fix the latter). If your kernel truly |
|
859 |
doesn't support the proc filesystem, reboot into the kernel that |
|
860 |
came with your distribution, which almost certainly does. |
|
861 |
||
862 |
o You have the right version of the kernel, but firewalling is not |
|
863 |
enabled. You must recompile the kernel and turn on firewalling. |
|
864 |
See the HOWTO's at http://metalab.unc.edu/linux/HOWTO/ to see how |
|
865 |
this is done. In particular, see the masquerading and kernel |
|
866 |
HOWTO's. |
|
867 |
||
1.1.1
by Thomas Scheffczyk
Import upstream version 1.0.0 |
868 |
o Your 2.4 kernel has iptables, which doesn't have a flag file like |
869 |
ipfwadm and ipchains. |
|
870 |
||
1
by Jeff Licquia
Import upstream version 0.13.0.92 |
871 |
When you recompile the kernel, I recommend you have all of the |
872 |
following enabled: network firewalls, ip firewalling, firewall packet |
|
873 |
logging, always defragment, proc filesystem, transparent proxy |
|
874 |
support, IP masquerading, and icmp masquerading. |
|
875 |
||
876 |
To see if firewall packet logging is enabled in your kernel, type one |
|
877 |
of the following commands: |
|
878 |
||
879 |
______________________________________________________________________ |
|
880 |
/sbin/ipfwadm -a deny -F -S 127.12.2.3/32 -o <Enter> |
|
881 |
/sbin/ipchains -A forward -s 127.12.2.3/32 -l <Enter> |
|
1.1.1
by Thomas Scheffczyk
Import upstream version 1.0.0 |
882 |
/sbin/iptables -A FORWARD -s 127.12.2.3/32 -j LOG<Enter> |
1
by Jeff Licquia
Import upstream version 0.13.0.92 |
883 |
______________________________________________________________________ |
884 |
||
885 |
||
886 |
||
887 |
The "-o" or "-l" at the end tells the kernel to log this particular |
|
888 |
packet type (one which should never show up). If your kernel does not |
|
889 |
support logging, I _think_ you would get an error. On the other hand, |
|
890 |
I've never had a kernel that has firewalling but does not have |
|
891 |
logging. The solution is the same - recompile your kernel to include |
|
892 |
both firewalling _and_ firewall packet logging. |
|
893 |
||
894 |
(If recompiling a kernel is too daunting, try my automated kernel |
|
895 |
builder, "buildkernel", which can be found at |
|
1.1.1
by Thomas Scheffczyk
Import upstream version 1.0.0 |
896 |
http://www.stearns.org/buildkernel/). |
1
by Jeff Licquia
Import upstream version 0.13.0.92 |
897 |
|
898 |
||
899 |
4.2. Ipfw, Ipfwadm, Ipchains, and Iptables |
|
900 |
||
1.1.1
by Thomas Scheffczyk
Import upstream version 1.0.0 |
901 |
Current versions of Mason handle ipfwadm, ipchains and iptables. It |
902 |
will accept log entries created under all three firewall types |
|
903 |
automatically. Mason automatically detects which kind of rule to |
|
904 |
create, although this can be overridden with environment variables set |
|
905 |
in /etc/masonrc. The masonrc file has comments describing these |
|
1
by Jeff Licquia
Import upstream version 0.13.0.92 |
906 |
fields. |
907 |
||
1.1.1
by Thomas Scheffczyk
Import upstream version 1.0.0 |
908 |
Make sure you have the ipfwadm, ipchains or iptables executable - one |
909 |
of these should be included with your distribution. |
|
1
by Jeff Licquia
Import upstream version 0.13.0.92 |
910 |
|
911 |
Mason has no support for ipfw firewalls (the firewalling used in |
|
912 |
kernels prior to 1.3.66). I don't intend to pursue this type of |
|
913 |
firewalling, but am not against integrating a patch if someone feels |
|
914 |
like adding the support. Does anyone still use this? |
|
915 |
||
1.1.1
by Thomas Scheffczyk
Import upstream version 1.0.0 |
916 |
|
1
by Jeff Licquia
Import upstream version 0.13.0.92 |
917 |
4.3. DNS |
918 |
||
919 |
Mason does not try to look up the hostnames of any machines involved |
|
920 |
in DNS requests (unless they're in /etc/hosts). If it did, Mason |
|
921 |
could enter a situation where it issues a steady flow of DNS requests |
|
922 |
to resolve the machine names and each DNS request requires a new rule, |
|
923 |
which in turn requires more DNS requests... ugh. |
|
924 |
||
925 |
The easy way to get machine names into your DNS rules is to make sure |
|
926 |
all your DNS servers are listed in /etc/hosts . If they're not listed |
|
927 |
there, Mason will just leave them as IP's. |
|
928 |
||
929 |
||
930 |
||
931 |
4.4. Rule order |
|
932 |
||
933 |
When a packet needs to be processed (at entry, forwarding, or exit), |
|
934 |
the firewall scans the existing list of rules to decide whether to |
|
935 |
allow, deny or reject the packet. As this scans stops at the first |
|
936 |
rule that matches the packet, the order in which your final firewall |
|
937 |
rules are executed can make a difference. This document only provides |
|
938 |
basic coverage of how to order your rules - sorry. The best place to |
|
939 |
find out more about this is in the O'Reilly and associates books. |
|
940 |
||
941 |
(If anyone would like to provide additional general guidelines as to |
|
942 |
how this is done, I would be glad to place them here with the |
|
943 |
appropriate disclaimers). |
|
944 |
||
945 |
||
946 |
4.5. Generalization |
|
947 |
||
948 |
The packets Mason processes are data transfers between specific ports |
|
949 |
on specific machines. For example, here's a response packet from a |
|
950 |
specific FTP server (linux.kernel.org) to what is probably a machine |
|
951 |
on your LAN: |
|
952 |
||
953 |
______________________________________________________________________ |
|
954 |
/sbin/ipfwadm -i accept -W ppp0 -I -P tcp -S linux.kernel.org/32 ftp -D \ |
|
955 |
devel1.goober.net/32 1024:65535 # ftp/tcp |
|
956 |
______________________________________________________________________ |
|
957 |
||
958 |
||
959 |
||
1.1.1
by Thomas Scheffczyk
Import upstream version 1.0.0 |
960 |
The rule above (possibly along with others) would only allow devel1 to |
1
by Jeff Licquia
Import upstream version 0.13.0.92 |
961 |
reach only linux.kernel.org, making for a ridiculously large ruleset |
962 |
if other machines wanted to ftp out to linux.kernel.org or wanted to |
|
1.1.1
by Thomas Scheffczyk
Import upstream version 1.0.0 |
963 |
reach other ftp servers. |
1
by Jeff Licquia
Import upstream version 0.13.0.92 |
964 |
|
965 |
By default, Mason _generalizes_ the source and destination IP |
|
966 |
addresses. For example, devel1.goober.net/32 is replaced with |
|
967 |
210.134.12.0/24 (the fictitious network address block of which devel1 |
|
968 |
is a part). Since linux.kernel.org is not a part of any local network |
|
969 |
blocks, linux.kernel.org is replaced with 0/0 (which matches any |
|
970 |
machine anywhere). |
|
971 |
||
972 |
This automatic generalization can be disabled by setting IPCONV="HOST" |
|
973 |
in /etc/masonrc. |
|
974 |
||
975 |
Mason also does some generalization on the source and destination |
|
976 |
ports. Irc, X, realaudio, traceroute, and others use ranges of ports; |
|
977 |
Mason knows how to generalize many protocols to the appropriate range. |
|
978 |
||
979 |
For the standard tcp and udp services, Mason generalizes the client |
|
980 |
port to 1024:65535. The connection that prompted this rule might have |
|
981 |
been, for example, port 1745 on devel1. As Mason didn't recognize |
|
982 |
1745 as some special server, it assumed that the next connection might |
|
983 |
be from, say, port 1788. By using the entire range of high ports |
|
984 |
("1024:65535" in the above rule), Mason uses a pretty standard |
|
985 |
approach to packet filtering to reduce the number of rules. |
|
986 |
||
987 |
||
1.1.1
by Thomas Scheffczyk
Import upstream version 1.0.0 |
988 |
|
989 |
||
990 |
||
1
by Jeff Licquia
Import upstream version 0.13.0.92 |
991 |
4.6. Router or end node |
992 |
||
993 |
This program was originally intended for use on a traditional firewall |
|
994 |
- a packet filtering router (linux box that connects 2 or more |
|
995 |
networks through one or more interfaces). It works equally well on |
|
996 |
Linux boxes with only one interface. These could be workstations on a |
|
997 |
LAN, servers outside of your firewall, or even slip or ppp connected |
|
998 |
workstations. The number of interfaces and their type and speed are |
|
999 |
irrelevant to the firewall creation process. |
|
1000 |
||
1001 |
This would be great for locking down a web or mail server outside your |
|
1002 |
firewall, for example. Start up Mason and make sure you make one of |
|
1003 |
every kind of connection you want to that machine. Mason will create |
|
1.1.1
by Thomas Scheffczyk
Import upstream version 1.0.0 |
1004 |
the corresponding rules. Generalize these and add a default policy of |
1005 |
"deny". _Only_ the connection types you specified will be allowed to |
|
1006 |
that machine. The difficulty of setting up the rules has been the |
|
1007 |
major impediment to this kind of hardened end node in the past. Now |
|
1008 |
that Mason is here, there's no reason why every machine on your LAN |
|
1009 |
can't have packet filtering enabled and active. |
|
1
by Jeff Licquia
Import upstream version 0.13.0.92 |
1010 |
|
1011 |
Note that on an end node (Linux box with a single NIC connected to a |
|
1012 |
single IP network) you should never see forwarding rules created - |
|
1013 |
this makes sense if you think about it. |
|
1014 |
||
1015 |
You could technically create a firewall on a machine with only the |
|
1016 |
loopback interface, but this would be more for instructional value |
|
1017 |
about internal tcp connections than for any security goal. On the |
|
1018 |
other hand, if you wanted to stop shell account users from getting to |
|
1019 |
an internal Web server, you certainly could; just make sure you put in |
|
1020 |
blocking rules for all interfaces, not just the loopback interface. |
|
1021 |
||
1022 |
||
1023 |
4.7. Slow machines or fast nics |
|
1024 |
||
1025 |
As a shell script, Mason is much less efficient at its work than a C |
|
1026 |
app would be. On a slow machine, it can take a couple of seconds from |
|
1.1.1
by Thomas Scheffczyk
Import upstream version 1.0.0 |
1027 |
the time the log entry is fed into it until the firewall rule is |
1
by Jeff Licquia
Import upstream version 0.13.0.92 |
1028 |
implemented. If the system is slow, if it has a lot of packets |
1029 |
traveling through it, or if it simply has a great deal of log file |
|
1030 |
traffic it can take Mason a long time to catch up. If this is the |
|
1031 |
case, start slow. Try one connection type at a time and give the |
|
1032 |
system a chance to settle before you move on. |
|
1033 |
||
1034 |
If Mason _cannot_ catch up, choose the "EL" (End Learning) option in |
|
1035 |
mason-gui-text. Wait until Mason stops, then restart learning. |
|
1036 |
||
1037 |
||
1038 |
4.8. Active hacking while mason running |
|
1039 |
||
1040 |
If at all possible, try to set up these rules in a controlled |
|
1041 |
environment. Hook up your firewall to machines that simulate the |
|
1042 |
routers and networks that will be used in its final location. It is |
|
1043 |
not a good idea to create a firewall in an environment not completely |
|
1044 |
under your control. |
|
1045 |
||
1046 |
If you must create the firewall rules in a live environment, be |
|
1047 |
warned: Mason simply creates rules based on what traffic is passing |
|
1048 |
through it. IT CANNOT DISTINGUISH BETWEEN THE TRAFFIC YOU'RE CREATING |
|
1049 |
TO TEACH IT AND SOMEONE ACTIVELY TRYING TO HACK THROUGH YOUR FIREWALL. |
|
1050 |
IF THIS HAPPENS, MASON WILL CREATE RULES THAT _SPECIFICALLY_ _ALLOW_ |
|
1051 |
PEOPLE TO GET BACK IN LATER. _Please_ read and try to understand the |
|
1052 |
rules before you put them to use in a production environment. |
|
1053 |
||
1054 |
(I hate all caps too, but the "boldface" button on my keyboard is |
|
1055 |
jammed :-). |
|
1056 |
||
1057 |
The "hacker" mentioned above does not need to be a computer criminal |
|
1058 |
in a far-off country looking to crash your machines. This individual |
|
1059 |
could be someone in accounting that is (without malicious intent) |
|
1060 |
connecting to an Internet IRC server, when this doesn't fit in the |
|
1061 |
security policy you're trying to implement. If you don't read and |
|
1062 |
understand the rules Mason spits out, you may very well leave an |
|
1063 |
explicit opening for this user's future IRC use. |
|
1064 |
||
1065 |
One more time: Mason _does_ _not_ understand the traffic flowing |
|
1066 |
through your firewall; it just creates the rules that you can later |
|
1067 |
use to specifically allow or disallow this traffic. This is why it is |
|
1068 |
a good idea to delete any rules that look even vaguely suspicious. If |
|
1069 |
it turns out these rules are needed for normal operation, they will be |
|
1070 |
relearned when you restart Mason. |
|
1071 |
||
1072 |
||
1073 |
4.9. Masquerading |
|
1074 |
||
1075 |
One of the common uses for Linux firewalling is to act not only as a |
|
1076 |
packet filter but also as a masquerading host, allowing multiple |
|
1077 |
machines to share a single IP address. |
|
1078 |
||
1079 |
As of Mason 0.13.0, Mason will automatically masquerade traffic from |
|
1080 |
RFC 1918 (also called "reserved") addresses. Since you probably don't |
|
1081 |
want to masquerade between internal lans, you need to list all the |
|
1082 |
interfaces leading _out_ to the real world (_not_ the interfaces that |
|
1083 |
use these reserved addresses). |
|
1084 |
||
1085 |
||
1086 |
4.10. Offline and non-root creation |
|
1087 |
||
1088 |
If you are especially cautious, you might not want Mason actively |
|
1089 |
creating rules on your production server. Or maybe you think you've |
|
1090 |
created a good firewall, but keep getting log messages and don't know |
|
1091 |
how to keep your log files from filling your disk. Or perhaps your |
|
1092 |
CPU can't keep up. Or maybe you just don't trust Mason's author - no |
|
1093 |
offense taken :-). In all of the above circumstances, Mason can |
|
1094 |
create the commands without actually being fed the log messages live. |
|
1095 |
For example, if you have packet logging entries in /var/log/messages, |
|
1096 |
try this: |
|
1097 |
||
1098 |
______________________________________________________________________ |
|
1099 |
cat /var/log/messages | grep ' I=' | DOCOMMAND="none" mason <Enter> |
|
1100 |
______________________________________________________________________ |
|
1101 |
||
1102 |
||
1103 |
||
1104 |
The output can, of course, be tee'd, redirected to a file, piped to |
|
1105 |
less, etc. "... | sort | uniq" can be useful too when you're not |
|
1106 |
converting it live. |
|
1107 |
||
1108 |
Obviously, the source file can be one that has been transferred from |
|
1109 |
another machine. |
|
1110 |
||
1111 |
There is one caveat to the offline approach. The specific case is |
|
1112 |
when one has a "deny" or "reject" policy in place for the input |
|
1113 |
logging rule. Let's say I try to telnet through the firewall. My |
|
1114 |
packet arrives at the firewall, is stopped and logged (so Mason can |
|
1115 |
successfully create the correct input rule later). The firewall never |
|
1116 |
has a rule implemented that allows me to get any further than that, |
|
1117 |
however, so there is never a log entry created for any of the |
|
1118 |
remaining 5 packet checks. |
|
1119 |
||
1120 |
One way around this might be to use a policy of "accept" on your |
|
1121 |
logging rules while you're creating /var/log/messages for later |
|
1122 |
consumption by Mason. I'm not saying this is appropriate for you, but |
|
1123 |
might be one way to handle this. Be warned; this can create very |
|
1124 |
large log files as every packet passing through the system can create |
|
1125 |
6 log entries! |
|
1126 |
||
1127 |
One final use for this technique is creating the rules when you're not |
|
1128 |
root. Simply edit /etc/masonrc to set DOCOMMAND="NO" and the script |
|
1129 |
will still output the appropriate ipfwadm/ipchains commands but won't |
|
1130 |
try to execute them, allowing non-root users to create the firewall |
|
1131 |
rules. Note that you still need to be root long enough to turn on |
|
1132 |
some kind of logging, or /var/log/messages will never contain any |
|
1133 |
entries to convert. Root privileges are also required to implement |
|
1134 |
the rules once you've created them. |
|
1135 |
||
1136 |
||
1137 |
||
1138 |
4.11. /etc/services and special ports |
|
1139 |
||
1140 |
Mason converts the protocol number and type (i.e. 53, udp) into the |
|
1141 |
more common name (domain, in this example). It uses the /etc/services |
|
1142 |
file to do make this conversion. Before you start, make sure all the |
|
1143 |
protocols you will work with are listed there. If a particular |
|
1144 |
protocol is not in that file, Mason will have serious problems |
|
1145 |
producing accurate rules. |
|
1146 |
||
1147 |
Having this entry is especially important if you are working with |
|
1148 |
services whose ports are >= 1024 (nfs, X, squid, irc, vdolive, etc.). |
|
1149 |
If a service >= 1024 is not found in /etc/services, it will be |
|
1150 |
automatically (and incorrectly) generalized to the port range of |
|
1151 |
1024-65535. If your favourite service isn't in there, simply edit the |
|
1152 |
file and add it in the same format as the other entries. |
|
1153 |
||
1154 |
These services whose ports are >=1024 can occasionally show up in your |
|
1155 |
rules where Mason should have used 1024:65535 instead. Well, you know |
|
1156 |
how to fix this, right? Just delete the rule, add the service to |
|
1157 |
/etc/services, and relearn it. |
|
1158 |
||
1159 |
The entries in /etc/services should only be for well-known server |
|
1160 |
ports. Client ports (which are usually just random ports between 1024 |
|
1161 |
and 65535 anyways) should not be listed in here. The specific example |
|
1162 |
of something that should be missing is the ssh client port. |
|
1163 |
||
1164 |
If you plan to do the conversion on one machine and actually run the |
|
1165 |
firewall on another, make sure all of the protocols used are listed in |
|
1166 |
the /etc/services on both machines. |
|
1167 |
||
1168 |
The authoritative source for these ports is the Internet Assigned |
|
1169 |
Numbers Authority (IANA). A list of these ports can be found at: |
|
1170 |
ftp://ftp.isi.edu/in-notes/iana/assignments/port-numbers . Mason |
|
1171 |
includes what seems to be an even more up-to-date reference; see |
|
1172 |
/var/lib/mason/nmap-services. Many thanks to the authors of nmap. |
|
1173 |
||
1174 |
||
1175 |
4.12. Insert vs. append |
|
1176 |
||
1177 |
Ipfwadm has two ways of adding rules: at the beginning of the rule |
|
1178 |
list using insert ("-i"), or at the end of the list using append |
|
1179 |
("-a"). The usual way of creating the firewall is to flush the |
|
1180 |
existing rules and then add each of the rules using append so they |
|
1181 |
will be scanned in the same order in which they were implemented. For |
|
1182 |
this reason, the rules that Mason spits out to stdout use "append" so |
|
1183 |
they can easily be put in a shell script. |
|
1.1.1
by Thomas Scheffczyk
Import upstream version 1.0.0 |
1184 |
|
1
by Jeff Licquia
Import upstream version 0.13.0.92 |
1185 |
Mason needs some way to tell the kernel to not log already logged |
1186 |
packets anymore. The way to do this is to put a matching rule before |
|
1187 |
the logging rule. Unfortunately, that means one of two things: |
|
1188 |
deleting the logging rule at the end, implementing the new rule at the |
|
1189 |
end, and reinstating the logging rule, or simply inserting the new |
|
1190 |
rule at the top of the list. The first option is tricky to do well. |
|
1191 |
It's also a bad choice because the user using Mason may not be logging |
|
1192 |
everything, so mason doesn't know what logging rule to reinstate. |
|
1193 |
That leaves using "-i" to insert the rule at the very top of the list. |
|
1194 |
||
1195 |
The end effect is that the rules that Mason displays use "-a" to match |
|
1196 |
how that would be put into a rule file, but the rules that are |
|
1197 |
actually implemented while Mason is running use "-i" to avoid |
|
1198 |
relogging those packets again in this Mason run. |
|
1199 |
||
1200 |
The major side effect of this approach is that the rule set in memory |
|
1201 |
as Mason is running is almost certainly _not_ in the order you'd want. |
|
1202 |
The final firewall rule set you put in place should flush whatever is |
|
1203 |
in memory before starting so as to clean out these incorrectly ordered |
|
1204 |
rules. |
|
1205 |
||
1.1.1
by Thomas Scheffczyk
Import upstream version 1.0.0 |
1206 |
As ipchains and iptables support additional user defined chains, we |
1207 |
can throw all the temporary rules in user defined chains (called |
|
1208 |
inputN, outputN, and forwardN; the "N" stands for Nolog). These |
|
1209 |
chains get called just before the logging rules. |
|
1
by Jeff Licquia
Import upstream version 0.13.0.92 |
1210 |
|
1211 |
||
1212 |
4.13. Allow versus deny and reject |
|
1213 |
||
1214 |
During the course of a Mason run, it's quite reasonable that the |
|
1215 |
firewall creator might want to spend some time working with traffic |
|
1216 |
types that he/she wants to allow, and then switch over to other |
|
1217 |
traffic types that he/she wants to reject or deny (see man ipfwadm for |
|
1218 |
the subtle difference between deny and reject). If you change any |
|
1219 |
settings by choosing "Change Settings" in mason-gui-text, it will |
|
1220 |
automatically signal a running Mason to re-read its configuration |
|
1221 |
file. You can do the same if running mason manually by typing |
|
1222 |
"killall -USR1 mason". |
|
1223 |
||
1.1.1
by Thomas Scheffczyk
Import upstream version 1.0.0 |
1224 |
Changing the target of a single rule to Accept, Deny, Reject, or |
1225 |
Masquerade can be done right in the menu under that rule without |
|
1226 |
having to go back to the main menu and changing the global settings. |
|
1227 |
||
1
by Jeff Licquia
Import upstream version 0.13.0.92 |
1228 |
|
1229 |
4.14. Input, Output, and Forwarding |
|
1230 |
||
1231 |
To implement packet filtering, the Linux kernel needs to inspect each |
|
1232 |
packet at at least one of the following three times: when the packet |
|
1233 |
enters the system, as it passes through the system on the way to its |
|
1234 |
exit interface, and as it leaves the system. |
|
1235 |
||
1236 |
At each of those three times, the kernel can decide to allow or |
|
1237 |
deny/reject the packet. The rules can be different at each stage - |
|
1238 |
it's perfectly legal to, for example, allow it in, allow it to be |
|
1239 |
forwarded, but then block it at the last second before it leaves the |
|
1240 |
system. |
|
1241 |
||
1242 |
A simple firewall could be implemented using just, say, input |
|
1243 |
rules(*). It's when you get complex firewalls that having rules at |
|
1244 |
all three stages is useful. You might want to allow hosts from eth0 |
|
1245 |
to get to a pop-3 server on eth1, but not allow hosts from eth2 to get |
|
1246 |
to the same server. This kind of restriction might be impossible to |
|
1247 |
do without forwarding rules, especially if eth2 hosts _should_ be |
|
1248 |
allowed to get to a pop-3 server on eth0. |
|
1249 |
||
1250 |
For simpler firewalls, or if you want less than the imposing grandeur |
|
1251 |
of a firewall ruleset that goes on for pages and pages, Mason can |
|
1252 |
accomodate you. If you just want input rules, add the following to |
|
1253 |
/var/lib/mason/baserules : |
|
1254 |
||
1255 |
______________________________________________________________________ |
|
1256 |
if [ -f /proc/net/ip_fwchains ]; then |
|
1257 |
/sbin/ipchains -A forward -j ACCEPT |
|
1258 |
/sbin/ipchains -A output -j ACCEPT |
|
1259 |
elif [ -f /proc/net/ip_input ]; then |
|
1260 |
/sbin/ipfwadm -F -a accept |
|
1261 |
/sbin/ipfwadm -O -a accept |
|
1262 |
fi |
|
1263 |
______________________________________________________________________ |
|
1264 |
||
1265 |
||
1266 |
||
1267 |
Place any general traffic types you don't care about in baserules. |
|
1268 |
||
1269 |
Please note that I am _not_ advocating the above, but pointing out |
|
1270 |
that the technique is available for those that feel the reduced |
|
1271 |
security is appropriate for them. |
|
1272 |
||
1273 |
(*) The exceptions to this are the special rules for redirecting |
|
1274 |
packets (which must be done as an input rule), and masquerading |
|
1275 |
packets, (which must be done as a forwarding rule). Even in the cases |
|
1276 |
where you wish to use these facilities, it's still legal to implement |
|
1277 |
packet filtering using another rule type. |
|
1278 |
||
1.1.1
by Thomas Scheffczyk
Import upstream version 1.0.0 |
1279 |
Please note that the above does not apply to iptables. In iptables, |
1280 |
packets are not inspected multiple times in multiple chains. |
|
1281 |
||
1
by Jeff Licquia
Import upstream version 0.13.0.92 |
1282 |
|
1283 |
4.15. Remote firewall creation - Telnet/ssh lockout |
|
1284 |
||
1285 |
If you're creating this firewall rule set and you're telnetting, |
|
1286 |
ssh'ing, or rsh'ing (collectively, "telnetting") in to the firewall, |
|
1287 |
be careful. Some of the first rules to be created will be for the |
|
1288 |
telnet packet flow you're using. If you are so unfortunate as to |
|
1289 |
start this process with a policy of deny, guess what packet flow will |
|
1290 |
be stopped almost immediately? That's right, your telnet session(s). |
|
1291 |
Your machine will be completely locked down with no way to remotely |
|
1292 |
reach it. (Now where were my car keys? <grrrr>) |
|
1293 |
||
1294 |
If you want to put the rules allowing your remote access before |
|
1295 |
starting Mason, great. If not, just make sure that your startup |
|
1296 |
policy is allow or it's remote reboot time! Logging in on any of the |
|
1297 |
console's virtual terminals does not require TCP/IP packets, so you |
|
1298 |
can never lock yourself out completely. |
|
1299 |
||
1300 |
You did read the section above on "simulating the working environment |
|
1301 |
under controlled conditions", didn't you? Are you still sure you want |
|
1302 |
to be creating a firewall not directly under your control? Just a |
|
1303 |
thought... |
|
1304 |
||
1305 |
||
1306 |
4.16. Ack flag |
|
1307 |
||
1308 |
Let's look at some standard rules that allows a telnet connection to a |
|
1309 |
server somewhere (these are only two of the 6 possible rules). |
|
1310 |
||
1311 |
allow LAN_IP's, ports 1024-65535 -> Outside_world_IP's, port 23 |
|
1312 |
allow Outside_world_IP's, port 23 -> LAN_IP's, ports 1024-65535 |
|
1313 |
||
1314 |
||
1315 |
||
1316 |
It looks pretty safe, right? Hmmm.... |
|
1317 |
||
1318 |
Let's say that one of your LAN machines runs a squid server. This |
|
1319 |
sits waiting for connections on port 3128. Additionally, consider the |
|
1320 |
possibility that the root user on some Outside_world_IP machine writes |
|
1321 |
some program that starts a connection _from_ port 23. This user |
|
1322 |
starts this program and connects to your LANs squid server. |
|
1323 |
||
1324 |
All with your firewalls full consent. Ugh. |
|
1325 |
||
1326 |
The way to avoid this problem is to be able to identify the |
|
1327 |
_direction_ in which the connection is created. We want to allow |
|
1328 |
connections that start _from_ LAN:1024-65535 _to_ Outside:23, but |
|
1329 |
block connections that start _from_ Outside:23 _to_ LAN:1024-65535. |
|
1330 |
||
1331 |
The TCP ACK flag comes to the rescue. The first packet in a |
|
1332 |
connection does _not_ have this flag set. Every packet after the |
|
1333 |
first _does_ have this flag set. If we require all packets coming |
|
1334 |
from the server port have their ACK flag set, we can stop the bogus |
|
1335 |
connection from port 23 back to port 3128. |
|
1336 |
||
1337 |
In short, by requiring all packets from a server port have their ACK |
|
1338 |
flag set, we block connections that originate from those server ports. |
|
1339 |
||
1340 |
Three notes. Only TCP uses ACK flags, so we can't use this to control |
|
1341 |
the direction in which icmp or udp conversations are initiated. |
|
1.1.1
by Thomas Scheffczyk
Import upstream version 1.0.0 |
1342 |
Secondly, DNS may be a problem. Tcp domain transfers and large dns |
1343 |
requests can be from port 53 to port 53, depending on what dns |
|
1344 |
software you're using. FTP-data connections do not have their ACK |
|
1345 |
flag set because they can be created in either direction. Finally, |
|
1346 |
there may be issues from ssh low ports if /etc/services has entries up |
|
1347 |
near 1023. |
|
1
by Jeff Licquia
Import upstream version 0.13.0.92 |
1348 |
|
1349 |
Mason is able to automatically set the ack flag if your /etc/services |
|
1350 |
lists all of the services you use. |
|
1351 |
||
1352 |
I specifically avoided the "-b" (bidirectional) flag so that I could |
|
1353 |
use "-k" to control the direction. |
|
1354 |
||
1.1.1
by Thomas Scheffczyk
Import upstream version 1.0.0 |
1355 |
Iptables uses the state of the connection as a more dependable way of |
1356 |
handling the above problem. I'd generally encourage you to use the |
|
1357 |
"-m state --state ESTABLISHED,RELATED" lines in baserules. If you do, |
|
1358 |
then Mason hands you a single rule for any given type of traffic; the |
|
1359 |
opening packet. The ESTABLISHED,RELATED lines handle all the other |
|
1360 |
packets. |
|
1361 |
||
1362 |
||
1
by Jeff Licquia
Import upstream version 0.13.0.92 |
1363 |
|
1364 |
4.17. Limitations, Ideas and future enhancements |
|
1365 |
||
1366 |
||
1367 |
o group foreign machines into additional rule? (Document how.) |
|
1368 |
||
1369 |
o Document the living hell of NFS. |
|
1370 |
||
1371 |
||
1372 |
5. Configuring Mason |
|
1373 |
||
1374 |
Most of the configuration is set via environment variables. For |
|
1375 |
permanent changes, try |
|
1376 |
||
1377 |
______________________________________________________________________ |
|
1378 |
export VARIABLE=value |
|
1379 |
______________________________________________________________________ |
|
1380 |
||
1381 |
||
1382 |
||
1383 |
For one time settings, just put the variables on the command line just |
|
1384 |
before calling the program. For example: |
|
1385 |
||
1.1.1
by Thomas Scheffczyk
Import upstream version 1.0.0 |
1386 |
|
1
by Jeff Licquia
Import upstream version 0.13.0.92 |
1387 |
______________________________________________________________________ |
1388 |
tail -f --lines=0 /var/log/messages | ECHOCOMMAND=ipchains mason |
|
1389 |
______________________________________________________________________ |
|
1390 |
||
1391 |
||
1392 |
||
1393 |
If you set a variable both on the command line and in /etc/masonrc, be |
|
1394 |
warned that /etc/masonrc wins. |
|
1395 |
||
1396 |
||
1397 |
o ECHOCOMMAND=ipchains|ipfwadm|none #Autodetected if unset or invalid |
|
1398 |
||
1.1.1
by Thomas Scheffczyk
Import upstream version 1.0.0 |
1399 |
|
1
by Jeff Licquia
Import upstream version 0.13.0.92 |
1400 |
Which kind of command should Mason display? This does _not_ have |
1401 |
to match the firewalling in the current kernel; this lets you |
|
1402 |
create an ipfwadm firewall ruleset on an ipchains kernel and vice- |
|
1.1.1
by Thomas Scheffczyk
Import upstream version 1.0.0 |
1403 |
versa. (Remember that iptables can't take part in this cross- |
1404 |
creation.) |
|
1
by Jeff Licquia
Import upstream version 0.13.0.92 |
1405 |
|
1406 |
The following two commands will spit out an ipfwadm firewall and an |
|
1407 |
ipchains firewall, respectively, from the same input: cat |
|
1408 |
/var/log/messages | grep ' L=' | ECHOCOMMAND=ipfwadm mason |
|
1409 |
>ipfwadm-wall cat /var/log/messages | grep ' L=' | |
|
1410 |
ECHOCOMMAND=ipchains mason >ipchains-wall |
|
1411 |
||
1412 |
Both kinds of firewall log entries have L= in them; this is a |
|
1413 |
reasonably good filter to keep Mason from having to process _all_ |
|
1414 |
the junk entries. |
|
1415 |
||
1416 |
||
1417 |
o DOCOMMAND=ipchains|ipfwadm|none #Autodetected if unset or invalid |
|
1418 |
||
1419 |
||
1420 |
Which kind of command should Mason run to prevent that type of |
|
1421 |
traffic from being logged in the future? Set to none if you're |
|
1422 |
processing the log entries later, or on another machine. |
|
1423 |
||
1424 |
Unless you're forcing it to "none", probably best to let Mason |
|
1425 |
autodetect. |
|
1426 |
||
1427 |
||
1428 |
o HEARTBEAT=yes|no |
|
1429 |
||
1430 |
If yes, mason displays a "." or "-" when it processes an input line |
|
1431 |
that has been handled by one of the recently implemented rules. |
|
1432 |
The heartbeat character is sent to stderr so it doesn't screw up |
|
1433 |
logging to a file or piping to some other program. |
|
1434 |
||
1435 |
o DYNIF="ppp0 sl0" |
|
1436 |
||
1437 |
If your machine has interfaces whose entries change IP address, put |
|
1438 |
the interface name(s) in quotes, separated by spaces. Mason will |
|
1439 |
handle these interfaces specially by handing you a line that will |
|
1440 |
assign that interfaces IP address to an environment variable when |
|
1441 |
executed, and uses that variable throughout the ruleset. |
|
1442 |
||
1443 |
If your Ethernet IP address is assigned via DHCP, BOOTP, or RARP, |
|
1444 |
_and_ _changes_ from time to time, you might even want to put your |
|
1445 |
Ethernet interface name(s) in the list. If the addresses are |
|
1446 |
assigned via one of those tools, but _never_ _change_ (those |
|
1447 |
protocols are supposed to try to give you the same address you had |
|
1448 |
last time if at all possible), don't put the Ethernet interface(s) |
|
1449 |
in there. |
|
1450 |
||
1451 |
Make sure you re-run your firewall ruleset (or at least the rules |
|
1452 |
with dynamic IP entries) when the address changes. For ppp |
|
1453 |
interfaces, restart your firewall inside /etc/ppp/ip-up. I think |
|
1454 |
DHCP has a similar ability to run commands when the address |
|
1455 |
changes; consult the DHCP documentation. |
|
1456 |
||
1457 |
The main documentation for all the configurable fields is conveniently |
|
1458 |
in /etc/masonrc . |
|
1459 |
||
1460 |
||
1461 |
6. IP protocols and their firewall characteristics |
|
1462 |
||
1463 |
6.1. Standard TCP and UDP protocols |
|
1464 |
||
1465 |
Most of the connections made in tcp/ip follow a standard form. The |
|
1466 |
client machine picks a random port between 1024 and 65535. The |
|
1467 |
packets are sent to a fixed, known port that's below 1024. |
|
1.1.1
by Thomas Scheffczyk
Import upstream version 1.0.0 |
1468 |
|
1
by Jeff Licquia
Import upstream version 0.13.0.92 |
1469 |
For example, I need to send an email message from mybox.office.com to |
1470 |
mailserver.office.com. Since email goes to tcp port 25 (see |
|
1471 |
/etc/services for some of these), the tcp/ip code on mybox picks a |
|
1472 |
random tcp port, such as 1931. Packets flow from mybox port 1931 to |
|
1473 |
port 25 on mailserver. Packets also flow back from mailserver port 25 |
|
1474 |
to mybox port 1931. |
|
1475 |
||
1476 |
Here are some of the protocols that follow this form: |
|
1477 |
||
1478 |
o 23/TCP - telnet |
|
1479 |
||
1480 |
o 25/TCP - SMTP |
|
1481 |
||
1482 |
o 80/TCP - HTTP |
|
1483 |
||
1484 |
o 110/TCP - POP3 |
|
1485 |
||
1486 |
o 143/TCP - IMAP |
|
1487 |
||
1488 |
o 512/UDP - BIFF |
|
1489 |
||
1490 |
||
1491 |
6.2. ICMP |
|
1492 |
||
1493 |
ICMP doesn't use source and destination ports, but it has icmp codes |
|
1494 |
and subcodes, each a number between 0 and 15. |
|
1495 |
||
1496 |
||
1497 |
6.3. DNS |
|
1498 |
||
1499 |
If the firewall or one of the machines behind it is a DNS server, you |
|
1500 |
have a situation where mason issues a steady flow of DNS requests to |
|
1501 |
resolve the machine names and each DNS request requires a new rule, |
|
1502 |
which in turn requires more DNS requests... ugh. |
|
1503 |
||
1504 |
Mason no longer does DNS lookups on machines involved in DNS lookups. |
|
1505 |
If you have the names and IP addresses of your DNS servers, add them |
|
1506 |
to /etc/hosts. |
|
1507 |
||
1508 |
||
1509 |
6.4. FTP |
|
1510 |
||
1511 |
Ahhh, yes, ftp. The scourge of firewall creators everywhere. |
|
1512 |
||
1.1.1
by Thomas Scheffczyk
Import upstream version 1.0.0 |
1513 |
If you're using iptables, have the ip_conntrack_ftp module loaded and |
1514 |
have uncommented the "-m state --state ESTABLISHED,RELATED" lines in |
|
1515 |
baserules, the problem I'm about to describe does not apply to you. |
|
1516 |
Since iptables is a stateful firewall, this problem has been solved in |
|
1517 |
an elegant and now hassle-free way. |
|
1518 |
||
1
by Jeff Licquia
Import upstream version 0.13.0.92 |
1519 |
Ftp starts off well because the client opens a connection from a high |
1520 |
port (1024-65535) to the ftp control port 21. This part of the |
|
1521 |
connection follows the same model as other tcp protocols: client uses |
|
1522 |
a random high port and connects to a fixed low port. |
|
1523 |
||
1524 |
The problem arises when it's time to actually transmit data. The |
|
1525 |
client and server exchange directory listings and files over |
|
1526 |
additional tcp connections that are between a random high port at the |
|
1527 |
client end and a random high port at the server end. |
|
1528 |
||
1529 |
Remember that packet filtering firewalls depend on being able to |
|
1530 |
identify connections by their (fixed and generally low) server port. |
|
1531 |
Here we have connections that need to be allowed if ftp is going to |
|
1532 |
work, but can't be identified this way. |
|
1533 |
||
1534 |
It really comes down to a choice: does the firewall allow ftp traffic |
|
1535 |
(leaving at least one high to high rule which is a generally |
|
1536 |
considered a security risk), or do we block ftp? You'll need to |
|
1537 |
decide. |
|
1538 |
||
1539 |
Mason creates these rules as transparently as any others. It opens up |
|
1540 |
the ports for the control channel and the high to high rule (called |
|
1541 |
the data channel). A single ftp connection could therefore open 12 |
|
1542 |
rules. You'll need to decide whether these high to high rules are too |
|
1543 |
much of a security risk. |
|
1544 |
||
1545 |
If you do choose to open up ftp rules, you might want to do these |
|
1546 |
last. This allows you to put in more specific rules first. |
|
1547 |
||
1548 |
||
1549 |
6.5. Netbios |
|
1550 |
||
1551 |
For those hoping to come here for a simple set of rules for |
|
1552 |
firewalling netbios, sorry. This one is all over the map. |
|
1553 |
||
1554 |
Mason comes in really handy for netbios because it works with whatever |
|
1555 |
netbios throws at it. The netbios ports are 135, 137, 138, and 139 - |
|
1556 |
both tcp and udp. Connections can be from one of these low ports to |
|
1557 |
itself, from a high port to one of these ports, or from a high port to |
|
1558 |
a high port. |
|
1559 |
||
1560 |
In short, good luck trying to do this without Mason. |
|
1561 |
||
1.1.1
by Thomas Scheffczyk
Import upstream version 1.0.0 |
1562 |
By the way, allowing netbios traffic in from and out to the Internet |
1563 |
may be a very bad idea. |
|
1
by Jeff Licquia
Import upstream version 0.13.0.92 |
1564 |
|
1565 |
||
1566 |
6.6. NTP |
|
1567 |
||
1568 |
NTP is one of the few protocols that uses the same port at both the |
|
1569 |
client and server end. In this case, it is port 123/udp. |
|
1570 |
||
1571 |
||
1572 |
6.7. SSH |
|
1573 |
||
1574 |
SSH (server port 22/tcp) has one minor note about its operation. When |
|
1.1.1
by Thomas Scheffczyk
Import upstream version 1.0.0 |
1575 |
installed by root (setuid), it may not use a random high port between |
1576 |
1024 and 65535 for the client end. The first client session may use |
|
1577 |
port 1023, the next uses 1022, etc. No real problem for Mason, but |
|
1578 |
you might be surprised at the client ports used. |
|
1
by Jeff Licquia
Import upstream version 0.13.0.92 |
1579 |
|
1580 |
These client ports should NOT be listed in /etc/services, even though |
|
1581 |
it might seem to make identification easier. The reason is that Mason |
|
1582 |
uses this file to identify _server_ ports in the process of deciding |
|
1583 |
whether to use the ACK flag check. |
|
1584 |
||
1585 |
6.8. Other IP protocols |
|
1586 |
||
1587 |
The other protocols, such as ipip, igmp, ospf, etc (see |
|
1588 |
/etc/protocols), don't use port numbers. For this reason, Mason only |
|
1589 |
creates rules between individual machines for these. |
|
1590 |
||
1591 |
||
1.1.1
by Thomas Scheffczyk
Import upstream version 1.0.0 |
1592 |
7. Version summary (out of date, sorry) |
1
by Jeff Licquia
Import upstream version 0.13.0.92 |
1593 |
|
1594 |
||
1595 |
o 0.9.0 |
|
1596 |
||
1597 |
_Lots_ of good new stuff. Mason handles log entries from ipchains |
|
1598 |
or ipfwadm automatically. The command it runs can be either an |
|
1599 |
ipchain or ipfwadm command, and it can output either an ipchain or |
|
1600 |
ipfwadm command. All independently. See the ECHCOMMAND=... and |
|
1601 |
DOCOMMAND=... parameters, above. |
|
1602 |
||
1603 |
_Major_ speedup! Keep reading lines until the 7th-13th fields are |
|
1604 |
different from the previous line; this probably quadruples Mason's |
|
1605 |
throughput or better. Bonus points to the readers who can read |
|
1606 |
morse code from the heartbeat output... Oh, and I added heartbeat |
|
1607 |
output to show that Mason hasn't just crashed. :-) |
|
1.1.1
by Thomas Scheffczyk
Import upstream version 1.0.0 |
1608 |
|
1
by Jeff Licquia
Import upstream version 0.13.0.92 |
1609 |
Mason handles interfaces whose IP address changes automatically; |
1610 |
see the DYNIF=... parameter, above. |
|
1611 |
||
1612 |
Note: additional ipchains fields are: |
|
1613 |
||
1614 |
L=Total length |
|
1615 |
S=TOS |
|
1616 |
I=ip->id? |
|
1617 |
F=Fragment offset |
|
1618 |
T=TTL |
|
1619 |
||
1620 |
||
1621 |
||
1622 |
||
1623 |
o 0.8.0 |
|
1624 |
||
1625 |
-k added to control the direction in which connections are made. |
|
1626 |
Unfortunately, the ftp-data port doesn't honor the simple rule for |
|
1627 |
-k; I suspect this is a consequence of PASV vs. "active?" ftp |
|
1628 |
opening the data connection in one direction of the other. Hmmm... |
|
1629 |
This was released to the world as 0.7.9. |
|
1630 |
||
1631 |
||
1632 |
o 0.7.0 |
|
1633 |
||
1634 |
(6/21/98) 20% speed improvement by changing read command. Local |
|
1635 |
name cache added. On the fly policy changing. Comments. Major |
|
1636 |
documentation updates. Another 20% performance improvement by |
|
1637 |
replacing some sed's with bash internal pattern deletion. 6% more |
|
1638 |
by using ${#..} instead of wc --bytes to size strings. Cut time |
|
1639 |
necessary to process non-firewall lines in third by using && |
|
1640 |
instead of -a. |
|
1641 |
||
1642 |
||
1643 |
o 0.6.0 |
|
1644 |
||
1645 |
(6/4/98) Documentation added |
|
1646 |
||
1647 |
||
1648 |
o 0.5.0 |
|
1649 |
||
1650 |
(6/2/98) Bare code, almost no documentation, ipfwadm support only. |
|
1651 |
8. Advanced scenarios |
|
1652 |
||
1653 |
8.1. General approach |
|
1654 |
||
1655 |
Once you've gone through the Quick Start, what now? Now we learn how |
|
1656 |
to use this to match your security policy. |
|
1657 |
||
1658 |
The first lesson to learn about packet filtering rules is that they |
|
1659 |
are only useful if you have a mix of accept and deny (equivalent to |
|
1660 |
reject in this discussion) rules. Think about it. If all of your |
|
1661 |
rules are allow rules and your default policy is also allow, this |
|
1662 |
setup is no different from having no rules at all; the system is |
|
1663 |
completely open. |
|
1664 |
||
1665 |
At the other end of the spectrum, if all of your rules are deny and |
|
1666 |
the default policy is also deny, well, it's going to be pretty hard to |
|
1667 |
use TCP/IP at all. :-) |
|
1668 |
||
1669 |
This means that putting a firewall together involves deciding what |
|
1670 |
should be allowed _and_ what should not be allowed. |
|
1671 |
||
1672 |
The first thing for you to decide is what your default policy should |
|
1673 |
be. In the next few minutes we'll be looking at what you specifically |
|
1674 |
want to allow and what you specifically want to disallow. What should |
|
1675 |
the firewall do with the rest of the packets? That depends on how you |
|
1676 |
view your firewall. |
|
1677 |
||
1678 |
If you primarily want your firewall to block a relatively small amount |
|
1679 |
of malicious things, but want users on both sides of the firewall to |
|
1680 |
have relatively unencumbered access to the opposite side, you'd |
|
1681 |
probably want to use a default policy of accept. This tends to be a |
|
1682 |
good choice in the case where there are a large number of types of |
|
1683 |
TCP/IP traffic that should be allowed to pass through the firewall. |
|
1684 |
||
1685 |
If, on the other hand, you tend more toward the paranoid and want very |
|
1686 |
fine grained control over _exactly_ what passes through your firewall, |
|
1687 |
you'll probably want to use a default policy of deny. This tends to |
|
1688 |
work well when there are a relatively small number of protocols that |
|
1689 |
should be allowed. |
|
1690 |
||
1691 |
Choosing a policy becomes difficult when you want fine grained control |
|
1692 |
but there are a large number of protocols used by your users. You'll |
|
1693 |
still choose a default policy of deny, but you'll have to create a |
|
1694 |
large number of rules to accomodate them. Good thing you've got Mason |
|
1695 |
to give you a hand! |
|
1696 |
||
1697 |
Now that you've chosen a policy, what goes next? Here's where you can |
|
1698 |
become an artist. |
|
1699 |
||
1700 |
With the help of Mason, your job is to decide what should be allowed |
|
1701 |
and what should not be allowed. |
|
1702 |
||
1703 |
[More to be added as time allows...] |
|
1704 |
||
1705 |
||
1706 |
8.2. Ordering rules |
|
1707 |
||
1708 |
Here are a couple of guidelines about how to order your rules. I |
|
1709 |
refer to policy below; for this discussion, there are 6 possible |
|
1710 |
policies: accept, deny, reject, accept and log, deny and log, and |
|
1711 |
reject and log. |
|
1712 |
||
1713 |
As there is no way that input rules and output rules could ever |
|
1714 |
overlap, the rulesets for those can be considered seperately. The |
|
1715 |
same logic holds true for input and forwarding and output and |
|
1716 |
forwarding. Effectvely, even though you might have them all mixed |
|
1717 |
together in your firewall creation shell script, you can work with the |
|
1718 |
input rules according to the principles below, then come back and work |
|
1719 |
with the forwarding rules, and then come back one last time for the |
|
1720 |
output rules. |
|
1721 |
||
1722 |
||
1723 |
o I suggest placing dns (also called domain; port 53/tcp and 53/udp) |
|
1724 |
rules at the top of your firewall if you're using the default mode |
|
1725 |
of HOSTLOOKUP=FULL. The other rules in your firewall may require |
|
1726 |
dns lookups; if those requests can't get through because the dns |
|
1727 |
rules aren't in place yet, the early rules may not get put in |
|
1728 |
place. |
|
1729 |
||
1730 |
o If your ruleset contains a block of 2 or more rules with the same |
|
1731 |
policy (accept, deny, or reject) that immediately follow each |
|
1732 |
other, the order of the rules in that block has no functional |
|
1733 |
difference to the operation of the firewall. If you are very |
|
1734 |
concerned about performance, you might want to put the rules that |
|
1735 |
process the largest number of packets at the top of this block and |
|
1736 |
the rules that process the least number of packets near the bottom |
|
1.1.1
by Thomas Scheffczyk
Import upstream version 1.0.0 |
1737 |
of this block. See the SORTMODE option in /etc/masonrc (not |
1738 |
available in iptables). |
|
1739 |
||
1
by Jeff Licquia
Import upstream version 0.13.0.92 |
1740 |
o If two consecutive rules do not have any overlapping cases in the |
1741 |
patterns they match, they can appear in either order without |
|
1742 |
affecting the operation of the firewall. As long as no two rules |
|
1743 |
in the set overlap, this can be extended to a set with more than |
|
1744 |
two rules. |
|
1745 |
||
1746 |
o If two rules overlap in the patterns they match and have different |
|
1747 |
policies, they _cannot_ be reordered without affecting the |
|
1748 |
functional operation of the firewall. Specifically, the packets in |
|
1749 |
the overlapping case will have their policy changed. |
|
1750 |
||
1751 |
o If two consecutive rules have the same policy and one is subset of |
|
1752 |
the other, the more specific rule can be discarded and the more |
|
1753 |
general rule can be kept without affecting the functional operation |
|
1754 |
of the firewall. |
|
1755 |
||
1756 |
One common case of this is when your default policy is, say, |
|
1757 |
accept, and the last rule just before the default policy rule also |
|
1758 |
has a policy of accept. This more specific rule (not the policy, |
|
1759 |
of course) can be discarded. |
|
1760 |
||
1761 |
o Your default policy always comes at the end. |
|
1762 |
||
1763 |
I've referred to discarding rules above. One reason why you might |
|
1764 |
_not_ want to discard a particular rule rule is when you're using your |
|
1765 |
firewall to do accounting as well as blocking. You might want to be |
|
1766 |
able to have seperate accounting for the packet traffic in the rule |
|
1767 |
that would have been discarded. |
|
1768 |
||
1769 |
||
1770 |
8.3. Tips and tricks |
|
1771 |
||
1772 |
The following are tools and techniques I use. They may not be |
|
1773 |
appropriate for you. Please consider whether they are appropriate for |
|
1774 |
you before using them. |
|
1775 |
||
1776 |
||
1777 |
o If you want to see which rules in your running firewall are |
|
1778 |
actually carrying traffic, try this: |
|
1779 |
||
1.1.1
by Thomas Scheffczyk
Import upstream version 1.0.0 |
1780 |
|
1781 |
||
1782 |
||
1
by Jeff Licquia
Import upstream version 0.13.0.92 |
1783 |
___________________________________________________________________ |
1784 |
( ipfwadm -lenI ; ipfwadm -lenF ; ipfwadm -lenO ) | grep -v '^ *0 *0 ' | less -S |
|
1785 |
___________________________________________________________________ |
|
1786 |
||
1787 |
||
1788 |
or |
|
1789 |
||
1790 |
______________________________________________________________________ |
|
1791 |
ipchains -L -n -x -v | grep -v '^ *0 *0 ' | less -S |
|
1792 |
______________________________________________________________________ |
|
1793 |
||
1794 |
||
1.1.1
by Thomas Scheffczyk
Import upstream version 1.0.0 |
1795 |
or |
1796 |
||
1797 |
______________________________________________________________________ |
|
1798 |
iptables -L -n -x -v | grep -v '^ *0 *0 ' | less -S |
|
1799 |
______________________________________________________________________ |
|
1800 |
||
1801 |
||
1
by Jeff Licquia
Import upstream version 0.13.0.92 |
1802 |
|
1803 |
The "grep -v ..." removes all packets with 0's in the count and bytes |
|
1804 |
columns. |
|
1805 |
||
1806 |
If the number of rules returned is still too large, flush the firewall |
|
1807 |
and restart it; this clears out all the packet counts. Then you can |
|
1808 |
rerun whatever test you've been doing and run the above command again |
|
1809 |
to see what rules are carrying your traffic. This is especialy useful |
|
1810 |
if you've got a deny rule somewhere blocking a certain connection: |
|
1811 |
||
1812 |
______________________________________________________________________ |
|
1813 |
( ipfwadm -lenI ; ipfwadm -lenF ; ipfwadm -lenO ) | grep -v '^ *0 *0 ' | less -S |
|
1814 |
______________________________________________________________________ |
|
1815 |
||
1.1.1
by Thomas Scheffczyk
Import upstream version 1.0.0 |
1816 |
|
1
by Jeff Licquia
Import upstream version 0.13.0.92 |
1817 |
or |
1818 |
||
1819 |
______________________________________________________________________ |
|
1820 |
ipchains -L -n -x -v | grep -v '^ *0 *0 ' | egrep '(Chain|target|DENY|REJECT)' | less -S |
|
1821 |
______________________________________________________________________ |
|
1822 |
||
1823 |
||
1824 |
||
1825 |
o If you don't want to go through the above process, but just want to |
|
1826 |
convert a few log entries to rules, you can do the feed yourself. |
|
1827 |
For example: |
|
1828 |
||
1829 |
___________________________________________________________________ |
|
1830 |
tail --lines=1000 /var/log/messages | grep 'kernel.*I=' | DOCOMMAND="none" mason >afewrules |
|
1831 |
___________________________________________________________________ |
|
1832 |
||
1833 |
||
1834 |
||
1835 |
Any other options can be placed on the command line or in |
|
1836 |
/etc/masonrc. |
|
1837 |
||
1838 |
o If you want rules that will run under ipfwadm and ipchains kernels, |
|
1839 |
you have two good choices. Create ipfwadm rules no matter what |
|
1840 |
kind of kernel you have (put ECHOCOMMAND="ipchains" in /etc/masonrc |
|
1841 |
or on the command line). The first choice is to use the ipfwadm- |
|
1842 |
wrapper (part of the ipchains-scripts package) as a front end to |
|
1843 |
either ipfwadm or ipchains, as appropriate. The second choice is |
|
1844 |
to take all of the ipfwadm rules and create the following file as |
|
1845 |
your real firewall: |
|
1846 |
||
1.1.1
by Thomas Scheffczyk
Import upstream version 1.0.0 |
1847 |
|
1848 |
||
1
by Jeff Licquia
Import upstream version 0.13.0.92 |
1849 |
___________________________________________________________________ |
1850 |
if [ -f /proc/net/ip_fwchains ]; then |
|
1851 |
#Convert your ipfwadm rules to ipchains rules and place the converted rules here. |
|
1852 |
/sbin/ipchains... |
|
1853 |
elif [ -f /proc/net/ip_input ]; then |
|
1854 |
#Place your ipfwadm rules here: |
|
1855 |
/sbin/ipfwadm.... |
|
1856 |
fi |
|
1857 |
___________________________________________________________________ |
|
1858 |
||
1859 |
||
1860 |
||
1861 |
The above conversion is actually darn simple: |
|
1862 |
||
1863 |
______________________________________________________________________ |
|
1864 |
cat ipfwadmfile | ipfwadm2ipchains >ipchainsfile |
|
1865 |
______________________________________________________________________ |
|
1866 |
||
1867 |
||
1868 |
||
1869 |
The ipfwadm2ipchains script is available at |
|
1.1.1
by Thomas Scheffczyk
Import upstream version 1.0.0 |
1870 |
http://www.stearns.org/i2i/ . This site also holds ipchains2iptables, |
1871 |
a similar script that gives a first pass output in iptables format |
|
1872 |
from a given ipchains firewall. Note that this output won't use any |
|
1873 |
of the advanced features of iptables, but you can add these. |
|
1
by Jeff Licquia
Import upstream version 0.13.0.92 |
1874 |
|
1875 |
o If you have a number of interfaces that all get the same rules, |
|
1876 |
replace the if0, if1, if2, etc rules with if+ . I believe this is |
|
1877 |
ipchains only. |
|
1878 |
||
1879 |
o (Diald users only). The packets leaving your system on sl+ (or |
|
1880 |
tap+) may have different source addresses (0.0.0.0/32, some dummy |
|
1881 |
ip address, an old ppp address...). You might want to replace them |
|
1882 |
with 0/0 to say I don't care what the source address is. |
|
1883 |
||
1884 |
o To see what program is using a particular port, try: |
|
1885 |
||
1886 |
___________________________________________________________________ |
|
1887 |
ps axf | grep "^ *`fuser port_number/proto | awk '{print $2}'` " |
|
1888 |
___________________________________________________________________ |
|
1889 |
||
1890 |
||
1891 |
||
1892 |
||
1893 |
9. Notes about Mason itself |
|
1894 |
||
1895 |
9.1. File descriptions |
|
1896 |
||
1897 |
||
1898 |
||
1899 |
||
1900 |
COPYING |
|
1901 |
The GNU General Public License. |
|
1902 |
||
1903 |
Makefile |
|
1904 |
Used in packaging and distribution. |
|
1905 |
||
1906 |
baserules |
|
1907 |
The baserules file is one of two files that hold your firewall |
|
1908 |
rules. baserules holds the rules that you've checked over and |
|
1909 |
are sure should be part of your final firewall. |
|
1910 |
||
1911 |
baserules.sample |
|
1912 |
A few possible rules for use as a starting point. |
|
1913 |
||
1.1.1
by Thomas Scheffczyk
Import upstream version 1.0.0 |
1914 |
|
1
by Jeff Licquia
Import upstream version 0.13.0.92 |
1915 |
firewall |
1916 |
The boot time script for use in /etc/rc.d/init.d. |
|
1917 |
||
1918 |
index.html |
|
1919 |
The Mason web page. |
|
1920 |
||
1921 |
mason |
|
1922 |
The actual mason script. |
|
1923 |
||
1924 |
mason-gui-text |
|
1925 |
The rudimentary interface to running Mason and building a |
|
1926 |
firewall. |
|
1927 |
||
1928 |
mason-gui-text.1 |
|
1929 |
man page for mason-gui-text. |
|
1930 |
||
1931 |
mason.1 |
|
1932 |
man page for mason. |
|
1933 |
||
1934 |
mason.html |
|
1935 |
The primary documentation for the package, in hypertext. |
|
1936 |
||
1937 |
mason.lsm |
|
1938 |
The Linux Software Map entry. |
|
1939 |
||
1940 |
mason.sgml |
|
1941 |
The primary documentation for the package. The sgml format is |
|
1942 |
designed to allow easy conversion to more readable formats. |
|
1943 |
||
1944 |
mason.spec |
|
1945 |
The RPM spec file. |
|
1946 |
||
1947 |
mason.txt |
|
1948 |
The primary documentation for the package, in a flat text file. |
|
1949 |
||
1950 |
masonlib |
|
1951 |
A library of functions used by a number of the other files. |
|
1952 |
||
1953 |
masonrc |
|
1954 |
The main configuration file. There are intelligent defaults for |
|
1955 |
all of these fields. |
|
1956 |
||
1957 |
moreservices |
|
1958 |
The services file I use, good as a reference if you don't |
|
1959 |
recognize a protocol. |
|
1960 |
||
1961 |
nmap-services |
|
1962 |
The additional services file includes with the nmap tool. An |
|
1963 |
even better reference. |
|
1964 |
||
1965 |
newrules |
|
1966 |
newrules is the other file that holds firewall rules. It holds |
|
1967 |
rules created by mason that you haven't looked over yet. Think |
|
1968 |
about what would happen if you were port scanned while Mason was |
|
1969 |
running; if you only had one file to hold rules, all of these |
|
1970 |
portscan rules you don't want would be mixed in with the rules |
|
1971 |
you do want. |
|
1972 |
||
1973 |
An important note - rules in newrules are not part of your |
|
1974 |
regular firewall - they are only used during the learning |
|
1975 |
process. This is why you need to merge rules from newrules to |
|
1976 |
baserules once you're sure of them. |
|
1977 |
||
1978 |
||
1979 |
||
1980 |
||
1981 |
10. Additional resources |
|
1982 |
||
1983 |
||
1.1.1
by Thomas Scheffczyk
Import upstream version 1.0.0 |
1984 |
o http://www.netfilter.orgNetfilter/iptables for 2.4.x kernels. |
1985 |
||
1
by Jeff Licquia
Import upstream version 0.13.0.92 |
1986 |
o http://www.rustcorp.com/linux/ipchains Linux IP firewalling chains |
1.1.1
by Thomas Scheffczyk
Import upstream version 1.0.0 |
1987 |
for 2.2.x kernels. |
1
by Jeff Licquia
Import upstream version 0.13.0.92 |
1988 |
|
1989 |
o http://ipmasq.cjb.net The Linux IP Masquerade Resource. |
|
1990 |
||
1991 |
o http://www.xos.nl/linux/ Experts in Open Systems; specifically, Jos |
|
1992 |
Vos, one of the firewall code authors. |
|
1993 |
||
1994 |
o http://metalab.unc.edu/linux/HOWTO/HOWTO-INDEX-3.html The Linux |
|
1995 |
HOWTO index, part of the: |
|
1996 |
||
1997 |
o http://metalab.unc.edu/linux/ Linux Documentation Project. |
|
1998 |
||
1999 |
o http://metalab.unc.edu/linux/HOWTO/mini/IP-Masquerade.html The IP |
|
2000 |
Masquerade HOWTO. Useful information on ipfwadm and masquerading. |
|
2001 |
||
2002 |
o http://www.ecst.csuchico.edu/~dranch/LINUX/index-linux.html David |
|
2003 |
Ranch's excellent networking resource. Check out the "Trinity OS" |
|
2004 |
document and the IP Masquerade Howto, co-authored with Ambrose Au. |
|
2005 |
Both are comprehensive documents about Linux networking - well |
|
2006 |
worth reading. |
|
2007 |
||
2008 |
||
2009 |
11. Authors, credits, feedback, copyright, how to help! |
|
2010 |
||
2011 |
Once again, the linux kernel and firewall developers deserve all the |
|
2012 |
credit. Mason is simply a front end to a fast, powerful, stable |
|
2013 |
firewall implementation in the linux kernel. Many thanks to all the |
|
2014 |
linux firewall developers. |
|
2015 |
||
2016 |
The name "Mason" comes from two sources; first of all, it builds a |
|
2017 |
(fire)wall. Second, it's my nephew's name. Mason lives in Brooklyn |
|
2018 |
with my sister and her husband and my niece Eve. He's a great guy! |
|
2019 |
||
2020 |
||
2021 |
If you have comments, suggestions, problems, ideas, flames, patches, |
|
1.1.1
by Thomas Scheffczyk
Import upstream version 1.0.0 |
2022 |
whatever, I'd like to hear them. I'd even be interested in hearing |
1
by Jeff Licquia
Import upstream version 0.13.0.92 |
2023 |
where Mason fell short for your needs. My permanent email address is |
2024 |
wstearns@pobox.com. The permanent web site for the software is |
|
2025 |
http://www.pobox.com/~wstearns/mason/. |
|
2026 |
||
2027 |
Jeff Licquia has kindly offered to package up Mason into a Debian |
|
2028 |
package. The Debian requirements are helping to make a better program |
|
1.1.1
by Thomas Scheffczyk
Import upstream version 1.0.0 |
2029 |
for all distributions. |
1
by Jeff Licquia
Import upstream version 0.13.0.92 |
2030 |
|
1.1.1
by Thomas Scheffczyk
Import upstream version 1.0.0 |
2031 |
Jens Knudsen wrote nicerules, a wrapper script for Mason. It's a |
1
by Jeff Licquia
Import upstream version 0.13.0.92 |
2032 |
simple script that takes the "newrules" output, sorts and orders the |
2033 |
firewall rules in a way that makes it easier to review security, and |
|
2034 |
produces a "standalone" firewall script and a firewall.disable script. |
|
2035 |
The script probably has many "bugs", use it as an aid, but don't blame |
|
2036 |
him for any problems it may cause you. There is more information in |
|
2037 |
the actual script which is also heavily commented. Have fun. |
|
2038 |
||
2039 |
If you choose to send me actual mason firewall rules and choose to |
|
2040 |
hide the IP addresses and/or networks for security reason, that's |
|
2041 |
fine, but please replace them with something that describes their |
|
2042 |
general use so I can make sense of them. For example: |
|
2043 |
||
1.1.1
by Thomas Scheffczyk
Import upstream version 1.0.0 |
2044 |
|
2045 |
||
2046 |
||
1
by Jeff Licquia
Import upstream version 0.13.0.92 |
2047 |
______________________________________________________________________ |
2048 |
cat myrules | sed -e 's@11.22.33.44/32@fw-outside@' \ |
|
2049 |
-e 's@192.168.1.1/32@fw-inside@' \ |
|
2050 |
-e 's@192.168.1.0/24@inside-net@' \ |
|
2051 |
>myrules.mailable |
|
2052 |
______________________________________________________________________ |
|
2053 |
||
2054 |
||
2055 |
- or something like that. |
|
2056 |
||
2057 |
There are a number of things you can do to help this project: |
|
2058 |
||
2059 |
o Send in bug reports. |
|
2060 |
||
2061 |
o Send in suggestions or fixes. |
|
2062 |
||
2063 |
o Organize the documentation. |
|
2064 |
||
2065 |
o Design a logo. |
|
2066 |
||
2067 |
o Take over the announcement process. |
|
2068 |
||
2069 |
o Help integrate Mason into your distribution. Heck, just letting me |
|
2070 |
know under which distributions Mason works is helpful! |
|
2071 |
||
2072 |
o Organize the Web site into a more useful resource. |
|
2073 |
||
2074 |
o Set up mailing lists for developers, announcements, and users. |
|
2075 |
||
1.1.1
by Thomas Scheffczyk
Import upstream version 1.0.0 |
2076 |
The files in the Mason package are Copyright (c) 1998-2002 by William |
2077 |
Stearns wstearns@pobox.com or Jeff Licquia. They are released under |
|
2078 |
the GNU GPL, which is included in the package. If you did not recieve |
|
2079 |
a copy of this license, please contact the author for a copy (see the |
|
2080 |
top of the Mason script for contact information for the author and the |
|
2081 |
Free Software Foundation). |
|
2082 |
||
2083 |
William is also the author of buildkernel, the automated Linux |
|
2084 |
kernel builder, and other minor shell scripts. |
|
1
by Jeff Licquia
Import upstream version 0.13.0.92 |
2085 |
|
2086 |
||
2087 |
11.1. Thanks |
|
2088 |
||
1.1.1
by Thomas Scheffczyk
Import upstream version 1.0.0 |
2089 |
|
1
by Jeff Licquia
Import upstream version 0.13.0.92 |
2090 |
Chris Brenton deserves very special thanks for spending an evening |
1.1.1
by Thomas Scheffczyk
Import upstream version 1.0.0 |
2091 |
with me discussing a number of questions I've had about packet |
2092 |
filtering. He was very kind to share his knowledge with me. I owe |
|
1
by Jeff Licquia
Import upstream version 0.13.0.92 |
2093 |
him a pizza sometime. :-) |
2094 |
||
2095 |
Chris has written some excellent networking texts - I'm about halfway |
|
2096 |
through Mastering Network Security and am very impressed with the |
|
2097 |
writing and content: Multiprotocol Network Design & Troubleshooting, |
|
2098 |
Mastering Network Security. The above plug was not requested, but is |
|
2099 |
well deserved. |
|
2100 |
||
2101 |
Thanks to Nathan Bailey who took the time to remind me that there is a |
|
1.1.1
by Thomas Scheffczyk
Import upstream version 1.0.0 |
2102 |
Perl Module that's also called Mason. Thanks also to Jonathan |
2103 |
Swartz, the author of HTML::Mason who graciously agreed to share the |
|
2104 |
name and pointers with me. |
|
1
by Jeff Licquia
Import upstream version 0.13.0.92 |
2105 |
|
2106 |
Many thanks to Dave Stern, who has offered suggestions on how to |
|
1.1.1
by Thomas Scheffczyk
Import upstream version 1.0.0 |
2107 |
improve Mason and helped with beta testing early versions. Maybe |
1
by Jeff Licquia
Import upstream version 0.13.0.92 |
2108 |
someday I'll tell him they were prerelease versions... :-) |
2109 |
||
2110 |
Thanks to all of the people who have sent in questions, bug reports, |
|
2111 |
fixes, improvements, and six foot long lizards. |
|
2112 |
||
2113 |
The new section of masonrc with a boatload of backdoor ports is |
|
1.1.1
by Thomas Scheffczyk
Import upstream version 1.0.0 |
2114 |
courtesy of the authors of and contributors to snort. Specifically, |
1
by Jeff Licquia
Import upstream version 0.13.0.92 |
2115 |
Nick Rogness, Jim Forster and Martin Markgraf are credited with the |
1.1.1
by Thomas Scheffczyk
Import upstream version 1.0.0 |
2116 |
work on the ports - many thanks, guys. |
2117 |
||
2118 |
Snort can be found at http://www.snort.org. It's a really cool |
|
2119 |
intrusion detection tool. Thanks to Marty roesch@clark.net for the |
|
2120 |
tool. |
|
1
by Jeff Licquia
Import upstream version 0.13.0.92 |
2121 |
|
2122 |
A special thank you to all the authors in the Linux movement. In a |
|
1.1.1
by Thomas Scheffczyk
Import upstream version 1.0.0 |
2123 |
small way, the code I return to the community is my way of paying |
2124 |
back my incredible debt to the people who came before me. |
|
1
by Jeff Licquia
Import upstream version 0.13.0.92 |
2125 |
|
2126 |
As always, many thanks to my wife Debbie, who has shown amazing |
|
1.1.1
by Thomas Scheffczyk
Import upstream version 1.0.0 |
2127 |
patience with my Linux related projects. Many thanks, my love. |
2128 |
||
2129 |
||
2130 |
||
2131 |
||
2132 |
||
2133 |
||
2134 |
||
2135 |
||
2136 |
||
2137 |
||
2138 |
||
2139 |
||
2140 |
||
2141 |
||
2142 |
||
2143 |
||
2144 |
||
2145 |
||
2146 |
||
2147 |
||
2148 |
||
2149 |
||
2150 |
||
2151 |
||
1
by Jeff Licquia
Import upstream version 0.13.0.92 |
2152 |
|
2153 |
||
2154 |
||
2155 |
||
2156 |
||
2157 |
||
2158 |
||
2159 |
||
2160 |
||
2161 |
||
2162 |
||
2163 |
||
2164 |
||
2165 |
||
2166 |
||
2167 |
||
2168 |
||
2169 |
||
2170 |
||
2171 |
||
2172 |
||
2173 |
||
2174 |
||
2175 |
||
2176 |
||
2177 |
||
2178 |