SECURITY: Mason 0.12.0, the free automated firewall builder

[William Stearns <wstearns () pobox com>]

Good day, all,
        This will just be a short announcement of a free/GPL tool that may
be of interest to anyone using or considering the use of Linux machines as
firewalls.

        Mason is a tool that helps create a custom Linux packet filtering
firewall.  One starts up Mason on the machine(s) that need to do packet
filtering, then does all the normal things that this neetwork needs to
allow or deny.  Mason creates ipchains/ipfwadm rules that can be used in a
finished firewall.  It includes support files to provide a rudimentary
menu for building and a shell that implements the current firewall in SysV
boot scripts used in most Linux distributions.
        Mason is not for the user that wants a prebuilt firewall that
installs without effort.  A number of those are available on the Internet
already.  Mason is perfect for:
        - Someone trying to build a "default deny" firewall. *1
        - Someone that wants very tight control over exactly which
protocols are allowed in/out/through a machine.
        - Someone with a partial firewall that is having trouble coming up
with the right rules for a few tricky protocols.
        - Machines that don't match the design of the prebuilt firewalls. 
        - Implementing firewalls on routers _and_ individual workstations or
servers - machines that have typically lacked their own individual 
firewalls in the past.

*1 Also works well for "default allow"; during the training phase, you
teach Mason about all the protocols you want to _block_.  Or teach Mason
about both protocols to allow _and_ protocols to block.

Features support for:
        Ipfwadm and ipchains systems *2 (2.0.x-2.2.x kernels), preliminary
support for Cisco access-list output *2, ip, tcp, udp, icmp, support for
gre/ipip tunneling in testing, automatic generalization of client and
server port ranges *2, automatic generalization of client and server IP's
to match your routing table *2, ability to customize which protocols have
their client and server ip's generalized *2, networks where packets go out
on one interface and responses come back on another, any network device 
supported by Linux, interfaces with dynamic IP addresses *2, blocking all 
access to/from certain IP's or networks *2, blocking all incoming access to
certain protocols *2, automatic setting of TOS flag, automatic setting of
the ACK (Cisco: established) flag for all TCP protocols except ftp data
and high port-high port connections, runs on any Linux architecture, tars
and pgp signed rpms available, debian packages coming soon, written as 
bash shell scripts.
        Automatic recognition of the quirks in the following protocols:
ssh, nfs/sunrpc/mount (needs more testing), ftp, X, openwindows, vnc, irc,
traceroute, ip masquerading, realaudio, dns, syslog, netbios, ntp, coda.
Automatically handles the standard protocols such as http, smtp, nntp,
pop2/3, imap, https, telnet, etc.

*2 Customizable by a configuration file.


Requirements:
        Runs on any Linux distribution, any hardware architecture.  It
does require the following built into the Linux kernel: firewalling,
IP firewalling, firewall packet logging.  Most current distributions have 
these by default.  As with all Linux firewalls, the "always defragment" 
option is strongly recommended.
        The installation process does assume a SysV layout; Slackware
users may have to install the program files manually.

Limitations:
        The user interface is intentionally basic; I'm hoping someone will
step in and provide an ncurses or graphical interface.  It is, however,
quite functional.
        While Mason has basic support for the sunrpc, mount, and nfs
ports, these are hardwired in.  At some point I'll have to poll the sunrpc
port in a specified list of machines to provide more flexible support for
sunrpc services.

Closing:
        For all the features listed above, Mason does its work with almost
no user effort.  One just needs to leave it learning for a while while you
run your standard programs.  Once the firewall is completed, you may even
wish to leave Mason running after telling to it make all new rules DENY or
REJECT rules; the new rules Mason gives out will tell you where someone
might be trying to break in, or where a legitimate user might be using a
new protocol.  You have the final say on the rules Mason provides; at any
point you can edit the rule files and delete or modify anything with which
you disagree.
        This is not a polished release; there are still some rough points.
Because of the large number of features recently added, the documentation
is lagging behind the code.  Feedback, suggestions, bug reports and
patches are welcome; please email them to
wstearns () pobox com  .
        Mason is provided under the GNU General Public License, and is
therefore provided at no cost.  The entire package, with the exception of 
the included nmap-services file, is Copyright (c) 1998-1999 by William
Stearns (wstearns () pobox com).
        The permanent URL for the software is
http://www.pobox.com/~wstearns/mason/  .  The RPM can also be downloaded 
from 
ftp://contrib.redhat.com/noarch/noarch/
        Cheers,
        - Bill

---------------------------------------------------------------------------
        "Toleration is an inner personal disposition, is a fundamental
requirement of being human and of living together in society . . .When
toleration becomes indifference, it is ruined."
        -- Van Ruler
(Courtesy of Tim Hawes <thawes () dma org>)
--------------------------------------------------------------------------
William Stearns (wstearns () pobox com)
Mason, Buildkernel, and named2hosts are at: http://www.pobox.com/~wstearns
--------------------------------------------------------------------------