Details
Mason is an interesting utility that takes a different approach in building firewall rules, instead of specifying the required firewall rules; Mason creates firewall rules by example (rules are created by using the network as normal, and Mason creating rules that wouldn't block it).
To create an airtight firewall rule set, simply set Mason in learning mode, and start using the Internet services you want your firewall to allow. Mason will learn the required rules, and set your Linux firewall to block everything except the services you 'taught' Mason.
This is an extremely useful way for beginners (and experts!) to create strict firewall rules for ipchains or ipfwadm (the Linux firewall packages).

The installation is relatively straightforward.

Download and install

Download the rpm, deb, or source code package. Compile the source if needed, and install it:
rpm -Uvh mason-xxx.rpm (for rpm)
dpkg -i mason-xxx.deb (for deb)
make install (for the tar.gz package)

Services

Edit /etc/services and make sure the services you want to use are specified there (in modern Linux distributions this step is usually unnecessary).

Hosts

Edit /etc/hosts and add the following hosts and networks:
- Your localhost (the loopback address 127.0.0.1 and the local IP address)
- Special internal hosts
- Your DNS servers (whether they're internal or your ISP's)
- All your special networks (especially the internal network).

For example:
127.0.0.1 localhost
172.16.0.1 fwall-inside bastion bastion.mydomain.org
12.13.14.15 fwall-outside
172.16.0.0 INSIDE
12.13.14.0 OUTSIDE
12.13.16.10 myisp-dns1
12.13.16.11 myisp-dns2
12.13.14.44 ntp bonzo bonzo.mydomain.org
Masonrc

Edit /etc/masonrc and make the following changes:

- Change DYNIF to point to the dynamic interfaces (ppp0 if you are dialing-up to the Internet, ippp0 if you're using ISDN and an empty string if you have no dynamic interface)
- Make sure NEWRULEPOLICY, DEFAULTPOLICY and FLUSHEDPOLICY are all set to "accept" (this will be changed later)

Base rules

Edit /var/lib/mason/baserules to include any base rules you might need. For example, if you are using IP masquerading, make sure the first lines that already have special masquerading are uncommented.

Let Mason learn your rules

Launch mason-gui-text and tell Mason to start learning (type BL).
Now start using the services you want to allow through your firewall: WWW, e-mail, news, etc. Whenever you use a new service, Mason will try to 'understand' it and the screen will show when new rules are added.
After you're done, edit the new rules file to delete anything you don't need, and merge it with the main baserules file.

Change the default policy

Now that the rules are created, change the default policy to deny:
Edit /etc/masonrc and change DEFAULTPOLICY and FLUSHEDPOLICY to "deny".

Exit Mason, and your new firewall settings will kick in. To activate this automatically at boot time, run ntsysv (under Redhat) and enable the firewall service.


Links
Mason was written by William Stearns and is available at: mason.stearns.org/

Details
Mason is an interesting utility that takes a different approach in building firewall rules, instead of specifying the required firewall rules; Mason creates firewall rules by example (rules are created by using the network as normal, and Mason creating rules that wouldn't block it).
To create an airtight firewall rule set, simply set Mason in learning mode, and start using the Internet services you want your firewall to allow. Mason will learn the required rules, and set your Linux firewall to block everything except the services you 'taught' Mason.
This is an extremely useful way for beginners (and experts!) to create strict firewall rules for ipchains or ipfwadm (the Linux firewall packages).

The installation is relatively straightforward.

Download and install

Download the rpm, deb, or source code package. Compile the source if needed, and install it:
rpm -Uvh mason-xxx.rpm (for rpm)
dpkg -i mason-xxx.deb (for deb)
make install (for the tar.gz package)

Services

Edit /etc/services and make sure the services you want to use are specified there (in modern Linux distributions this step is usually unnecessary).

Hosts

Edit /etc/hosts and add the following hosts and networks:
- Your localhost (the loopback address 127.0.0.1 and the local IP address)
- Special internal hosts
- Your DNS servers (whether they're internal or your ISP's)
- All your special networks (especially the internal network).

For example:
127.0.0.1 localhost
172.16.0.1 fwall-inside bastion bastion.mydomain.org
12.13.14.15 fwall-outside
172.16.0.0 INSIDE
12.13.14.0 OUTSIDE
12.13.16.10 myisp-dns1
12.13.16.11 myisp-dns2
12.13.14.44 ntp bonzo bonzo.mydomain.org
Masonrc

Edit /etc/masonrc and make the following changes:

- Change DYNIF to point to the dynamic interfaces (ppp0 if you are dialing-up to the Internet, ippp0 if you're using ISDN and an empty string if you have no dynamic interface)
- Make sure NEWRULEPOLICY, DEFAULTPOLICY and FLUSHEDPOLICY are all set to "accept" (this will be changed later)

Base rules

Edit /var/lib/mason/baserules to include any base rules you might need. For example, if you are using IP masquerading, make sure the first lines that already have special masquerading are uncommented.

Let Mason learn your rules

Launch mason-gui-text and tell Mason to start learning (type BL).
Now start using the services you want to allow through your firewall: WWW, e-mail, news, etc. Whenever you use a new service, Mason will try to 'understand' it and the screen will show when new rules are added.
After you're done, edit the new rules file to delete anything you don't need, and merge it with the main baserules file.

Change the default policy

Now that the rules are created, change the default policy to deny:
Edit /etc/masonrc and change DEFAULTPOLICY and FLUSHEDPOLICY to "deny".

Exit Mason, and your new firewall settings will kick in. To activate this automatically at boot time, run ntsysv (under Redhat) and enable the firewall service.


Links
Mason was written by William Stearns and is available at: mason.stearns.org/