Next Previous Contents

2. Introduction

"If you have not checked out Mason, I highly recommend it. Mason is a Linux based firewall, but none like you've ever used. In short, you put Mason into learning mode and run the services to the Internet you wish to support. Mason will then take these log entries and turn them into a set of packet filtering rules. Pretty cool eh? No ACK compliment rules to worry about, no "what was that service port again?" decisions to worry about, simply plug it in, let it learn and off you go. :)"
- - Chris Brenton, cbrenton@sover.net

The Mason script interactively builds a (fire)wall on a Linux machine. For more details about how this is done, please read on for background, theory of operation, a quick start, and additional documentation on firewalls and firewall gotcha's.

mason.txt and related documentation should have been installed to /usr/doc/mason-{version}/ . If they are missing or you would like to make sure you have the latest version, please go to http://www.stearns.org/mason/ .

The impatient should go right to the Quickstart.

2.1 Background and motivation

The built-in firewall features of the Linux kernel offer a powerful set of packet filtering features that can be used to build a firewall. The various pieces of available documentation provide an introduction on how to configure the firewall for simple setups, but can't possibly explain how to configure a firewall for more complex setups, including fine-grained allow and deny lists. This is especially obvious when trying to create a firewall with a default policy of deny.

Someone looking to configure a linux firewall is simultaneously hit with the complexity of trying to understand the ipfwadm syntax, trying to understand the structure of TCP/IP connections, and trying to create and implement a security policy. No wonder firewalls are daunting!

The Mason application attempts to handle the first two problems by dynamically creating the firewall based on the traffic flowing through it. For example, if you start up a telnet session through your firewall from a machine on your LAN to a machine out on the WAN while mason is running, mason will create all the rules necessary to allow this traffic.

Conversely, if you're looking to block incoming NFS requests, simply launch mason, select a "deny" or "reject" policy, and make the NFS connection. When the firewall is restarted, voila! No more incoming NFS.

Creating a firewall no longer requires understanding the ipfwadm, ipchains or iptables syntax. Even novices can create a firewall under Linux. _HOWEVER_, creating a _good_ firewall _still_ requires some understanding of TCP/IP protocols and packet filtering. Many good books cover this. Check out O'Reilly and Associates ( http://www.ora.com or http://www.oreilly.com ) for some excellent general coverage of firewall designs.

One last novice's mistake I'd like to see Mason users avoid is the false sense of security that a firewall can provide. _Truly_ securing a system or network requires _much_ more than simply filtering packets. The aforementioned books provide a great background in general security.

2.2 Basic theory of operation

Before starting, if the user has some rules that he or she knows should be used in this machine, these can be added to /var/lib/mason/baserules. As part of the process of running Mason, we'll add rules that log all other packets to /var/log/messages. The "tail" command is used to feed these log messages into Mason, which converts each log entry into the corresponding command necessary to allow that kind of traffic. In the previous telnet example, 6 different firewall rules would be created on the firewall, three for the original request packet, 3 for the response back from the server (just 1 or 2 in iptables firewalls):

pkt 1:  Allow telnet request in from LAN
pkt 1:  Forward request through firewall
pkt 1:  Allow request to exit to WAN
pkt 2:  Allow telnet response back into firewall from WAN
pkt 2:  Forward response through system
pkt 2:  Allow response to exit back to the original machine on the LAN.

All packets from 3 on are handled by these rules. There may be a short delay in the initial connection as the rules are created.

The script creates the actual ipfwadm/ipchains/iptables commands to accomodate the packet flow. When the command is executed the new rule is inserted at the head of the existing rules so that future packets of this type no longer reach the logging rule at the bottom.

The rules are also echoed to the console so that you can see the rules as they are executed or redirect them to a file. This process is handled automatically by mason-gui-text.

If any of this is unclear, take a look at the Quickstart which walks you through actually running it. It'll make more sense when you see it in action.

2.3 Compatibility and requirements

2.4 Features

Mason supports the following: (see the release notes for additional features)


Next Previous Contents