#WARNING - If you are upgrading from a previous version, the uncommented #lines in your old masonrc have been appended to the end of this file. #Please note that the NAMECACHE, NETCACHE, and SERVICES fields are no longer used. #For instructions on how to set the parameters in this file, refer to #mason.txt that came with this package; try looking in #/usr/doc/mason-{version}/mason.txt or refer to #http://www.pobox.com/~wstearns/mason/ The only fields you must change #are in the "Essential Settings" section immediately following. The other #fields may be left unset; Mason will assign defaults for them. The defaults #are generally used below, but see the documentation for more details. #Please see mason.txt or http://www.pobox.com/~wstearns/mason/ for #more information and copyright information. # - William Stearns (wstearns@pobox.com) # Reminder; this file is for system wide defaults. # If you wish to set something for this # run only, simply set it on the command line just before calling mason. For # example, putting DYNIF="ppp0" in this file has the # same effect on this execution of the program as running # DYNIF="ppp0" mason. If a field is set on the command line and # in this file, this file wins - sorry. # The fields at the top are the ones you're most likely to need to edit. # The values in this script can be changed on the fly without #having to stop and restart Mason; simply make your changes, save the #file and run "killall -USR1 mason". Mason will only reread this #file when it receives this signal. # To have Mason gracefully exit, run "killall -HUP mason". #----------------------------------------------------------- # Essential settings - please set these. #----------------------------------------------------------- #A quote enclosed, space separated list of interfaces that change #IP address from time to time. Leave as "" if all addresses stay constant. #See DYNIFMODE if you want to fine tune how Mason handles these. #Default: no dynamic interfaces, all have static addresses. #DYNIF="ppp0" #DYNIF="" #What policy should mason use for upcoming rules? #There is no default for this field. You must choose one of #the following. #NEWRULEPOLICY="accept" #NEWRULEPOLICY="reject" #NEWRULEPOLICY="deny" #What should the default policy for your firewall be? #There is no default for this field. You must choose one of #the following. #DEFAULTPOLICY="accept" #DEFAULTPOLICY="reject" #DEFAULTPOLICY="deny" #What should the default policy for your system be when the #firewall is flushed? #There is no default for this field. You must choose one of #the following. #FLUSHEDPOLICY="accept" #FLUSHEDPOLICY="reject" #FLUSHEDPOLICY="deny" #----------------------------------------------------------- # Moderate likelihood you may wish to tune these, probably once. #----------------------------------------------------------- #DYNIFMODE Sets what Mason does with interfaces that change IP #address from time to time, such as network interfaces that use #dhcp or dial up links. #If set to SMALLESTRANGE, Mason attempts to calculate the smallest #IP network that contains all IP addresses seen so far for that #interface. Probably the best choice. Actually, the best choice #is to not use dynamic addresses on a firewall, but sometimes it's #unavoidable. #SPECIFICIP instructs Mason to only allow a single IP for each #interface. This is the most secure but also requires you to #restart the firewall whenever the IP address changes. #None of the above choices is permanent; there is a setting at the #top of the firewall rule file that can be changed at any time. # Default: SMALLESTRANGE #DYNIFMODE="SMALLESTRANGE" #DYNIFMODE="SPECIFICIP" #BLOCKEDHOSTS is a list of space separated machines that should not #be able to communicate _at_ _all_ with this machine or through #this machine. I'd reserve this for machines that have #attacked your machines in the past. Use space separated #machine.name/32 or 1.2.3.4/32 or 1.2.3.0/24 or network/netmask format. #This could also very reasonably be used to block all access to/from #one of your own machines that is particularly sensitive and #should only be allowed to communicate with other machines on #its own subnet. #_ALL_ communication of any sort that would normally pass in, out or #through this firewall is cut off. _ALL_. # Default: Empty #BLOCKEDHOSTS="" # "ipchains" = echo ipchains command to STDOUT, "ipfwadm" = echo # ipfwadm command to STDOUT, "none" = don't echo either. # Use "cisco" if you want Mason to spit out Cisco IOS access-list rules. # Autodetected if not set at all. # This is what you change if you want a different format in the # output rule file. # Default: Whatever this kernel supports. #ECHOCOMMAND="" # What should the IP address be converted to? # network: the smallest network in the routing table that contains the address. # host: the hostname or IP address for the machine # none: leave IP address as is. # custom: to be implemented. # dynamic IP's are replaced with ${ifNADDR} solely based on the value of DYNIF # Default: NETWORK #IPCONV="HOST" #IPCONV="NETWORK" #IPCONV="NONE" #IPCONV="CUSTOM" #For any IP addresses not converted into a network or otherwise #specially handled, should we leave them as IP addresses ("NONE"), #convert them to host names if they're in /etc/hosts #("FILESONLY"), or use that file, then try #a DNS lookup to get the name ("FULL")? # Default: FULL #HOSTLOOKUP="NONE" #HOSTLOOKUP="FILESONLY" #HOSTLOOKUP="FULL" #If you want a Mason firewall to automatically masquerade traffic from #reserved (rfc1918) addresses, set AUTOMASQIF to a space separated list of #interfaces _to_ which this traffic might go. For example, if eth0 and #eth2 are using reserved addresses, and eth3 and ppp0 are your gateways #to the outside world, you might set: #AUTOMASQIF="eth3 ppp0" #Do not simply set this to all your interfaces; that's a security risk. #If you would rather handle this yourself, set it to "". If blank or #not set at all, Mason will not automatically masquerade packets. #This setting has not effect if the rule to be added is a REJECT or DENY #rule. This is also not used in Cisco output. #Don't forget to include any virtual interfaces such as shaperX (or #ipsecX or cipeX?) # Default: if unset, Mason will leave empty. #AUTOMASQIF="" #DOBEEP="YES": beep at user with each new rule, "NO": dont # Default: YES #DOBEEP="YES" # "yes" = echo dot to STDERR when processing a repeat line, # "no" = don't. # Default: YES #HEARTBEAT="YES" #Use ANSI escape sequences to enhance display. Default YES. #Set this to no if your terminal doesn't support ANSI colors, etc. #USEANSI="YES" # The range of ports considered to be IRC server ports. # Default: 6666 to 6671 #IRC_BEGIN=6666 #IRC_END=6671 #The maximum number of X, Openwindows, or VNC consoles supported. The #default setting of 6 allows for ports 6000-6005 if any X traffic seen, #2000-2005 if any openwindows traffic seen, 5800-5805 for any vnc java #traffic, and 5900-5905 if any vnc traffic seen. # Default: 6 #MAXDISPLAYS=6 #If you only connect to a few (say 1-5) servers with a given protocol, #add it to the following (SSP=Sparse Server Protocols) so that Mason will #not generalize it to a network. #Example: When you get your mail, you probably only connect to a few #pop-3 or imap servers to get it. When you do a whois lookup, you #probably only connect to a single machine. #If only a few _client_ machines connect to a particular service, place #the port in SCP (Sparse _Client_ Protocols). #This feature does not differentiate between servers on your network and #servers in the real world. #A given protocol can be in both. These must be numeric. #Warning: If you're running your own DNS server on this machine or on #some machine behind it, do _not_ make Domain an SSP - leave it commented. #DNS, NTP, syslog and the Netbios protocols may use the same port number #for client and server. Declaring any of these as SSP's or SCP's will #probably cause _both_ ends to be specific hosts. #This can occasionally cause problems if the server in question has #multiple machines with the same name and different IP addresses - #ICQ has this problem. # Default: both empty. #SSP="${SSP} " #SSP="${SSP} 9/icmp" #Router advertisement (probably should be both an SCP and SSP) #SSP="${SSP} 25/tcp" #SMTP #SSP="${SSP} 43/tcp" #Whois #SSP="${SSP} 53/tcp 53/udp" #DNS/Domain - read note above #Do NOT put DNS in SSP if you run a DNS server on the firewall or behind it. #SSP="${SSP} 67/udp" #BOOTP Server #SSP="${SSP} 69/udp" #TFTP Server #SSP="${SSP} 88/tcp 88/udp" #Kerberos: should 749:751/tcp and 749:751/udp be here too? #SSP="${SSP} 109/tcp 110/tcp 143/tcp" #POP and IMAP Email #SSP="${SSP} 111/tcp 111/udp 635/tcp 635/udp 2049/tcp 2049/udp" #NFS: Sunrpc, Mount, and NFS #SSP="${SSP} 119/tcp" #NNTP #SSP="${SSP} 123/tcp 123/udp" #NTP - read note above #SSP="${SSP} 135/tcp 137/tcp 137/udp 138/tcp 138/udp 139/tcp 139/udp" #Netbios - read note above #SSP="${SSP} 370/udp 2432/udp 2433/udp" #Coda: codaauth2 codasrv codasrv-se #SSP="${SSP} 389/tcp" #LDAP #SSP="${SSP} 514/udp" #syslog #SSP="${SSP} 515/tcp" #Printer/LPD #SSP="${SSP} 2064/tcp" #RC5DES #SSP="${SSP} 3128/tcp 3130/udp" #Squid #SSP="${SSP} 4000/udp" #ICQ #SSP="${SSP} 7100/tcp" #xfs #SSP="${SSP} 8080/tcp" #Novell Border Manager/FastCache (thanks to Eric Hart for this port number) #SSP="${SSP} 8765/tcp" #search.cnn.com's search web server. #SSP="${SSP} 12343/tcp" #stats.hitbox.com #SCP="${SCP} " #SCP="${SSP} 9/icmp" #Router advertisement (probably should be both an SCP and SSP) #SCP="${SCP} 161/udp 162/udp" #SNMP #SCP="${SCP} 98/tcp" #Linuxconf #You probably have a number of internal services to which the outside world #should not connect. List them here, space separated. For the moment, these #_must_ be number/protocol. Ruleshell will block access to these coming from #any interface associated with a 0.0.0.0 route. #You can create your own or simply uncomment any lines you want to block. #Unlike the other operating parameters, Mason will not provide a default. #Auth (113/tcp) is one you _might_ want to leave open (i.e., leave #_commented_ below). #I've included protocols that generally have some security implication #if open to the outside world. You can use some, none, or all, and add #anything else you don't want the world to see. #Uncommenting service W below only means that people from the outside #world can't get to your W servers; you can still make requests out to #W servers on the Internet. #DNS, NTP, syslog and the Netbios protocols may use the same port number #for client and server. Leave these lines commented if you want to make #outbound _client_ requests to these servers. #You have the ability to block _entire_ protocols, such as tcp, udp, icmp, #gre, anything in /etc/protocols. Most people should _not_ need to use #this. In particular, you run a severe risk of violating a number of IP #requirements by blocking all icmp packets. Also, the only available #protocols for ipfwadm are tcp, udp, and icmp. # Default: empty. #NOINCOMING="${NOINCOMING} " #put your favorites here... #NOINCOMING="${NOINCOMING} 0/tcp 0/udp" #Probably a good one to block #NOINCOMING="${NOINCOMING} 7/tcp 7/udp" #Echo #NOINCOMING="${NOINCOMING} 8/icmp" #Ping request #NOINCOMING="${NOINCOMING} 15/tcp" #Netstat #NOINCOMING="${NOINCOMING} 20/tcp 21/tcp" #FTP (FTP daemons can have buffer overflows) #NOINCOMING="${NOINCOMING} 22/tcp" #SSH #NOINCOMING="${NOINCOMING} 22/udp 5631/tcp 5632/udp" #PCAnywhere #NOINCOMING="${NOINCOMING} 23/tcp" #Telnet #NOINCOMING="${NOINCOMING} 25/tcp" #SMTP #NOINCOMING="${NOINCOMING} 53/tcp 53/udp" #DNS (tcp is for zone transfers; large requests too?) (BIND 53/tcp can have buffer overflows) #NOINCOMING="${NOINCOMING} 67/udp" #BOOTP Server #NOINCOMING="${NOINCOMING} 69/udp" #TFTP #NOINCOMING="${NOINCOMING} 79/tcp" #Finger #NOINCOMING="${NOINCOMING} 80/tcp" #Web (Many attacks #NOINCOMING="${NOINCOMING} 87/tcp" #link #NOINCOMING="${NOINCOMING} 98/tcp" #LinuxConf #NOINCOMING="${NOINCOMING} 109/tcp 110/tcp 143/tcp" #Pop & IMAP mail (QPOP and IMAP may have buffer overflows) #NOINCOMING="${NOINCOMING} 111/tcp 111/udp" #Sunrpc #NOINCOMING="${NOINCOMING} 113/tcp" #Auth (NOTE: if enabled here, this protocol will be REJECTed rather than DENY'd) #NOINCOMING="${NOINCOMING} 119/tcp" #NNTP / Usenet news #NOINCOMING="${NOINCOMING} 123/tcp 123/udp" #NTP #NOINCOMING="${NOINCOMING} 135/tcp 137/tcp 137/udp 138/tcp 138/udp 139/tcp 139/udp" #Netbios (137/udp and 139/tcp may be involved in attacks) #NOINCOMING="${NOINCOMING} 161/udp 162/udp" #SNMP #NOINCOMING="${NOINCOMING} 177/tcp 177/udp" #XDM X login (also used in GDM) #NOINCOMING="${NOINCOMING} 443/tcp 563/tcp" #Secure Web #NOINCOMING="${NOINCOMING} 512:514/tcp" #Rexec, Rlogin, Rsh #NOINCOMING="${NOINCOMING} 512/udp" #biff #NOINCOMING="${NOINCOMING} 513/udp" #who #NOINCOMING="${NOINCOMING} 514/udp" #syslog #NOINCOMING="${NOINCOMING} 515/tcp" #LPD #NOINCOMING="${NOINCOMING} 520/udp" #Route / RIP #NOINCOMING="${NOINCOMING} 540/tcp" #UUCP #NOINCOMING="${NOINCOMING} 554/tcp 7070/tcp 7071/tcp" #RealAudio control ports #NOINCOMING="${NOINCOMING} 635/tcp 635/udp" #NFS Mount #NOINCOMING="${NOINCOMING} 901/tcp" #Swat (samba configuration) #NOINCOMING="${NOINCOMING} 1080/tcp" #Socks #NOINCOMING="${NOINCOMING} 1080/tcp 1080/udp 8080/tcp 8080/udp" #WinGate #NOINCOMING="${NOINCOMING} 1433/tcp 3306/tcp 5432/tcp" #SQL (mssql, mysql, postgresql) #NOINCOMING="${NOINCOMING} 2000:2010/tcp 6000:6010/tcp " #X and Openwindows #NOINCOMING="${NOINCOMING} 2049/udp 2049/tcp" #NFS #NOINCOMING="${NOINCOMING} 3128/tcp 3130/udp" #Squid web cache #NOINCOMING="${NOINCOMING} 5135/udp" #SGI (only, probably) object server #NOINCOMING="${NOINCOMING} 5232/tcp" #SGI (only, probably) distributed graphics #NOINCOMING="${NOINCOMING} 7100/tcp" #xfs (X Font server) #NOINCOMING="${NOINCOMING} 8080/tcp" #Novell Border Manager/FastCache (thanks to Eric Hart for this port number) #NOINCOMING="${NOINCOMING} 32771/tcp 32771/udp" #Sun RPC High port #NOINCOMING="${NOINCOMING} 33434:33524/udp" #traceroute #NOINCOMING="${NOINCOMING} /tcp" # #NOINCOMING="${NOINCOMING} gre" #_all_ gre protocol packets - just an example #Backdoors #NOINCOMING="${NOINCOMING} 31/udp 456/udp" #Hacker's Paradise Backdoor #NOINCOMING="${NOINCOMING} 555/tcp 555/udp" #iNi Killer/Phase Zero/Stealth Spy Backdoor #NOINCOMING="${NOINCOMING} 666/udp" #Satanz Backdoor #NOINCOMING="${NOINCOMING} 1001/udp" #Silencer, WebEX Backdoors #NOINCOMING="${NOINCOMING} 1170/udp" #Psyber Stream Backdoor #NOINCOMING="${NOINCOMING} 1234/udp" #Ultors Trojan Backdoor #NOINCOMING="${NOINCOMING} 1243/tcp 6776/tcp 27374/tcp" #SubSeven Backdoor #NOINCOMING="${NOINCOMING} 1245/udp" #VooDoo Doll Backdoor #NOINCOMING="${NOINCOMING} 1492/udp" #FTP99cmp Backdoor #NOINCOMING="${NOINCOMING} 1524/tcp 27665/tcp 27444/udp 31335/udp" #Trin00 (thanks to pmfirewall) #NOINCOMING="${NOINCOMING} 1600/udp" #Shivka-Burka #NOINCOMING="${NOINCOMING} 1807/udp" #Spy Sender Backdoor #NOINCOMING="${NOINCOMING} 1981/udp" #ShockRave #NOINCOMING="${NOINCOMING} 1999/udp" #Back Door Backdoor #NOINCOMING="${NOINCOMING} 2001/udp" #Trojan Cow Backdoor #NOINCOMING="${NOINCOMING} 2023/udp" #Ripper Pro Backdoor #NOINCOMING="${NOINCOMING} 2115/udp" #Bugs Backdoor #NOINCOMING="${NOINCOMING} 2140/udp" #Deep Throat, The Invasor Backdoor #NOINCOMING="${NOINCOMING} 2565/udp" #Striker Backdoor #NOINCOMING="${NOINCOMING} 2801/udp" #Phineas Phucker Backdoor. Hey, I did _not_ name them. #NOINCOMING="${NOINCOMING} 2989/udp" #Rat backdoor #NOINCOMING="${NOINCOMING} 3024/udp" #WinCrash Backdoor #NOINCOMING="${NOINCOMING} 3150/udp" #Deep Throat/Invasor Backdoor #NOINCOMING="${NOINCOMING} 3700/udp" #Portal Of Doom Backdoor #NOINCOMING="${NOINCOMING} 4092/udp" #WinCrash Backdoor #NOINCOMING="${NOINCOMING} 4950/udp" #ICQ Trojan Backdoor #NOINCOMING="${NOINCOMING} 5000/udp 5001/udp 50505/udp" #Sockets De Troie Backdoor #NOINCOMING="${NOINCOMING} 5321/udp" #FireHotcker Backdoor #NOINCOMING="${NOINCOMING} 5400:5402/udp" #Blade Runner Backdoor #NOINCOMING="${NOINCOMING} 5569/udp" #Robo-Hack Backdoor #NOINCOMING="${NOINCOMING} 5742/udp" #WinCrash Backdoor #NOINCOMING="${NOINCOMING} 6670/udp" #Deep Throat Backdoor #NOINCOMING="${NOINCOMING} 6711/udp" #Deep Throat/SubSeven Backdoor #NOINCOMING="${NOINCOMING} 6969/tcp" #GateCrasher Backdoor #NOINCOMING="${NOINCOMING} 7000/udp" #Remote Grab Backdoor #NOINCOMING="${NOINCOMING} 7300:7308/udp" #Net Monitor Backdoor #NOINCOMING="${NOINCOMING} 7789/udp" #ICKiller Backdoor #NOINCOMING="${NOINCOMING} 9872/udp 10067/udp 10167/udp" #Portal Of Doom Backdoor #NOINCOMING="${NOINCOMING} 10752/tcp" #Linux mountd backdoor #NOINCOMING="${NOINCOMING} 11223/udp" #Progenic Trojan Backdoor #NOINCOMING="${NOINCOMING} 12223/udp" #Hack99-Keylogger Backdoor #NOINCOMING="${NOINCOMING} 12345:12346/tcp" #Netbus/GabanBus NT trojan/Backdoor #udp too? (from pmfirewall) #NOINCOMING="${NOINCOMING} 12361:12362/tcp" #Whack-a-mole Backdoor #NOINCOMING="${NOINCOMING} 16969/udp" #Portal Of Doom/Priority Backdoor #NOINCOMING="${NOINCOMING} 20000:20001/udp" #Millenium Backdoor #NOINCOMING="${NOINCOMING} 20034/udp" #NetBus PRO Backdoor #NOINCOMING="${NOINCOMING} 21544/udp 21554/tcp" #Girlfriend Backdoor #NOINCOMING="${NOINCOMING} 22222/udp" #Prosiak Backdoor #NOINCOMING="${NOINCOMING} 23456/tcp" #EvilFTP Backdoor #NOINCOMING="${NOINCOMING} 26274/udp" #Delta Backdoor #NOINCOMING="${NOINCOMING} 30100/tcp" #NetSphere Backdoor #NOINCOMING="${NOINCOMING} 30102/tcp" #NetSphere FTP Backdoor #NOINCOMING="${NOINCOMING} 31337/tcp" #BIND Shell Backdoor #NOINCOMING="${NOINCOMING} 31337:31338/udp" #Back Orifice/Deep Back Orifice Backdoor #NOINCOMING="${NOINCOMING} 31339/udp" #NetSpy Backdoor #NOINCOMING="${NOINCOMING} 31666/udp" #BOWhack Backdoor #NOINCOMING="${NOINCOMING} 28431/udp 31785/tcp 31787/tcp 31789/udp 31791/udp" #Hackattack, trojan #NOINCOMING="${NOINCOMING} 33333/udp" #Prosiak Backdoor #NOINCOMING="${NOINCOMING} 34324/udp" #Big Gluck/TelnetSrv Backdoor #NOINCOMING="${NOINCOMING} 40412/udp" #The Spy Backdoor #NOINCOMING="${NOINCOMING} 40421:40423/udp 40426/udp" #Masters Paradise Backdoor #NOINCOMING="${NOINCOMING} 47262/udp" #Delta Backdoor #NOINCOMING="${NOINCOMING} 50776/udp" #Fore Backdoor #NOINCOMING="${NOINCOMING} 53001/udp" #Remote Win Shutdown Backdoor #NOINCOMING="${NOINCOMING} 61446/udp" #TeleCommando Backdoor #NOINCOMING="${NOINCOMING} 65000/udp" #Devil #Blackhole: #If you want your machine to disappear - be basically undetectable from #other hosts on the Internet - the following NOINCOMING and NOOUTGOING #lines _might_ be a good starting point onto which you can add the #standard services you don't want to be seen. All of the following #are listed above, this is just here for convenience. #NOINCOMING="${NOINCOMING} 0/tcp 0/udp 7/tcp 7/udp 8/icmp 15/tcp 33434:33524/udp" #NOOUTGOING="${NOOUTGOING} 0/icmp 3.0/icmp 3.1/icmp 3.2/icmp 3.3/icmp 3.5/icmp 3.6/icmp 3.7/icmp 3.8/icmp 3.9/icmp 3.10/icmp 3.11/icmp 3.12/icmp 3.13/icmp 3.14/icmp 3.15/icmp 9/icmp 11.0/icmp 11/icmp 18/icmp" #NoTrojan: #If you want all of the backdoors, uncomment the following line (all of the #following are listed above, this is just here for convenience): #NOINCOMING="${NOINCOMING} 31/udp 456/udp 555/tcp 555/udp 666/udp 1001/udp 1170/udp 1234/udp 1243/tcp 6776/tcp 1245/udp 1492/udp 1524/tcp 27665/tcp 27444/udp 31335/udp 1600/udp 1807/udp 1981/udp 1999/udp 2001/udp 2023/udp 2115/udp 2140/udp 2565/udp 2801/udp 2989/udp 3024/udp 3150/udp 3700/udp 4092/udp 4950/udp 5000/udp 5001/udp 50505/udp 5321/udp 5400:5402/udp 5569/udp 5742/udp 6670/udp 6711/udp 6969/tcp 7000/udp 7300:7308/udp 7789/udp 9872/udp 10067/udp 10167/udp 10752/tcp 11223/udp 12223/udp 12345:12346/tcp 12361:12362/tcp 16969/udp 20000:20001/udp 20034/udp 21544/udp 21554/tcp 22222/udp 23456/tcp 26274/udp 30100/tcp 30102/tcp 31337/tcp 31337:31338/udp 31339/udp 31666/udp 28431/udp 31785/tcp 31787/tcp 31789/udp 31791/udp 33333/udp 34324/udp 40412/udp 40421:40423/udp 40426/udp 47262/udp 50776/udp 53001/udp 61446/udp 65000/udp" #You may also have a few protocols that you definitely want to #stop from ever leaving your firewall. For the moment, these #can only be icmp_typecode/icmp or icmp_typecode.icmp_subcode/icmp . #Not tcp, not udp, just icmp. ipfwadm cannot handle icmp subcodes - don't use them. #Uncommenting one of more of the following makes it harder for #someone to map your network - but not impossible. Uncommenting #them _may_ also contribute to delays in normal communications. #NOOUTGOING="${NOOUTGOING} 0/icmp" #Ping reply #NOOUTGOING="${NOOUTGOING} 3.0/icmp" #network-unreachable #NOOUTGOING="${NOOUTGOING} 3.1/icmp" #host-unreachable (This may also be used for path mtu discovery?) #NOOUTGOING="${NOOUTGOING} 3.2/icmp" #protocol-unreachable #NOOUTGOING="${NOOUTGOING} 3.3/icmp" #port-unreachable #3.4/icmp (Fragmentation needed and DF set) is _not_ a good one to block - it screws up path MTU discovery. #NOOUTGOING="${NOOUTGOING} 3.5/icmp" #source-route-failed #NOOUTGOING="${NOOUTGOING} 3.6/icmp" #network-unknown #NOOUTGOING="${NOOUTGOING} 3.7/icmp" #host-unknown #NOOUTGOING="${NOOUTGOING} 3.8/icmp" #source-host-isolated #NOOUTGOING="${NOOUTGOING} 3.9/icmp" #network-prohibited #NOOUTGOING="${NOOUTGOING} 3.10/icmp" #host-prohibited #NOOUTGOING="${NOOUTGOING} 3.11/icmp" #TOS-network-unreachable #NOOUTGOING="${NOOUTGOING} 3.12/icmp" #TOS-host-unreachable #NOOUTGOING="${NOOUTGOING} 3.13/icmp" #communication-prohibited #NOOUTGOING="${NOOUTGOING} 3.14/icmp" #host-precedence-violation #NOOUTGOING="${NOOUTGOING} 3.15/icmp" #precedence-cutoff #NOOUTGOING="${NOOUTGOING} 9/icmp" #Router advertisement #NOOUTGOING="${NOOUTGOING} 11.0/icmp 11/icmp" #Time exceeded #NOOUTGOING="${NOOUTGOING} 18/icmp" #Address mask reply #If you do not already have EDITOR set in your environment, you #can set it here. If it's not set in either place, Mason #will try to find mcedit, pico, vi, jove, nedit, and emacs in #your path. # Default: try to find some of the standard ones. #EDITOR="/usr/bin/mcedit -c " #I like mine in color :-) #The number of characters to display on a line. Leave enough space for a #space at the end of the line. # Default: 72 #LINELENGTH=72 #How should mason sort the newrulesfile? # Default: PROTOCOL #SORTMODE="NONE" - This isn't implemented right now, and you wouldn't want it. #SORTMODE="PROTOCOL" #Group by protocol #SORTMODE="PACKETCOUNTS" #Put rules with the largest number of packets up top. #MINMARK #Mason can add mark numbers to ipchains rules. If you want to use #the feature of adding packet counts to rules (for migrating the rules #with the highest counts upwards) this must be set to some positive number. #In order to make the mark values unique, Mason will raise this above any #existing mark values. # Default: do not set marks. #MINMARK=32768 #When set to YES, Mason will generalize both the source and the #destination ports to 61000-65096, 1024-65535, or 0-1023, but only if the #packet is a tcp ack packet. This basically eliminates the ack rules #by reducing them to just a few, rather than one for each protocol. #My best understanding is that this generalization: # - will reduce the number of rules in your firewall by about 30%. # - will _probably_ _not_ increase the risk that someone can _make_ _a_ #_connection_ that they could not have made before. # - _will_ increase the risk that someone can map your internal network #ports even if they can't make connections to them. #Use at your own risk. Default NO. #GENERALIZETCPACK="YES" #----------------------------------------------------------- # Filenames #----------------------------------------------------------- #Location of runtime changeable files and configuration. #Make sure you include the trailing slash. # Default: "/var/lib/mason/" #MASONDIR="/var/lib/mason/" #This is the configuration file mason uses. It can be changed while #Mason is running as long as the SIGUSR1 signal is sent to Mason afterwards. #It's probably not a good idea to change the value of this variable on the fly. #Setting this here is of dubious value - this is better set as a #shell environment variable before running mason. # Default: /etc/masonrc #MASONCONF="/etc/masonrc" #The support library of routines used by mason and mason-gui-text # Default: "/var/lib/mason/masonlib" #MASONLIB="${MASONDIR}masonlib" #This field replaces the original NETCACHE file. #Most people can leave this blank; if null, Mason populates it with the #correct values. If you need Mason to use different networks, perhaps #to run Mason on another machine, place triplets of the form #"network-broadcast/netmask" in this variable, separating them #with spaces. "network/netmask", "network/numbits" and #"network-broadcast/numbits" are all legal: #NETWORKS="172.16.0.0-172.16.255.255/255.255.0.0 192.168.11.0-192.168.11.255/255.255.255.0" #NETWORKS="12.13.14.15/32 206.99.99.0/24 15.16.17.18/255.255.255.255 1.2.3.0-1.2.3.1/31" #Please place the most specific entries _first_. If you have certain machines #or subnets that need to be treated specially, place them here. If you #set this at all, make sure you include _all_ networks this machine needs #to recognize. # Default: Mason automatically detects your existing network structure #NETWORKS="" #If you want Mason to add the networks known at run-time to any custom list #of networks above, uncomment the following line: #NETWORKS="${NETWORKS} RUNTIME.NETWORKS" #BASERULEFILE="${MASONDIR}baserules" #NEWRULEFILE="${MASONDIR}newrules" #PACKETCOUNTFILE="${MASONDIR}packetcounts" #All of the following are autodetected if not set. #If you want to get an explicit listing of exactly what rules are used to #create the boot time firewall, try: #IPCHAINSBIN="echo /sbin/ipchains" #and run #/etc/rc.d/init.d/firewall start # #MASONEXE="/usr/bin/mason" #MASONDECIDE="/usr/bin/mason-decide" #IPFWADMBIN="/sbin/ipfwadm" #IPCHAINSBIN="/sbin/ipchains" #Note - ipnatctl is not used any more. #IPNATCTLBIN="/usr/local/bin/ipnatctl" #IPTABLESBIN="/usr/local/bin/iptables" #MASONPIDFILE="/var/run/mason.pid" #Default input file to tail. #PACKETLOGFILE="/var/log/messages" #Please note that the NAMECACHE, NETCACHE, and SERVICES fields are no longer used. #----------------------------------------------------------- # Low likelihood you'll need to change these #----------------------------------------------------------- # "ipchains" = actually run the ipchains command, "ipfwadm" = actually # run the ipfwadm command, "none" = don't run either. "none" is useful # if you're not running Mason as root or are running Mason on some machine # other than the actual operating firewall. User can override either by # simply setting the environment variable ahead of time. # Default: Autodetected to match running kernel. #DOCOMMAND="ipchains" #DOCOMMAND="ipfwadm" #DOCOMMAND="none" #What policy should we use for logging? # Default: same as NEWRULEPOLICY #LOGGINGPOLICY="accept" #LOGGINGPOLICY="reject" #LOGGINGPOLICY="deny" #The additional character added to the end of an ipchains chain name to #indicate that it holds rules to block logging. #Because of limitations on the length of rule names, NOLOGSUFFIX cannot #be longer than 1 character. Don't use any character that might be the #last character in a normal chain, like the "t" or "d" in inpu_t_, #outpu_t_, or forwar_d_. # Default: "N" #NOLOGSUFFIX="N" # "YES" to debug, anything else = dont # Default: NO #DEBUG="NO" #Ports used as the source port for masqueraded packets. # Default: 61000:65096 #PORT_MASQ_BEGIN=61000 #PORT_MASQ_END=65096 #Ports used as the destination ports for traceroute packets. # Default: 33434:33524 #TRACEROUTE_BEGIN=33434 #TRACEROUTE_END=33524 #Fine for up to 30 routers, 3 packets each, the default for traceroute. #When ssh(d?) is run as root, the client port starts off at 1023 and #works its way down to (512?). Mason handles this falling range #correctly, but this allows you to predeclare that you want to handle #up to 1024-LOWSSHPORT connections simultaneously. # Default: 1010, but it will keep dropping down as needed. #LOWSSHPORT=1010 #Interfaces on which packets from untrusted systems can come _in_, #usually identical to the interfaces with a default route. (That's #how this is automatically set if you don't set it explicitly.) #If you use diald, explicitly set this with _only_ the ppp #interface(s); packets never _arrive_ on the slx interface(s). #You should only have to set this by hand if you use something #like diald, a cable modem, or a satellite link where you use #different interfaces for outgoing and incoming packets. # Default: your default route interfaces. #INCOMINGINTERFACES="" #INCOMINGINTERFACES="ppp0" #Single interface diald #As above, these are the interfaces that actually carry packets #back to untrusted systems. #You should only have to set this if you had to set the above. It #normally gets set from your routing table automatically too. # Default: your default route interfaces. #OUTGOINGINTERFACES="" #OUTGOINGINTERFACES="ppp0" #Single interface diald #----------------------------------------------------------- # To be implemented #----------------------------------------------------------- #Needs some more testing, but feel free to try it out. #Note: this only works when DOCOMMAND=ipchains, and will #cause severe network problems if _any_ networks or IP's #in your routing table overlap, but point at different interfaces #(overlapping routes that point at the _same_ interface are not a #problem). This is almost certainly the case if you use proxyarp #and may show up in other network setups as well. It's probably #not a good idea to enable this if you have any non-default #routes where packets go out one interface and come back on #another (_default_ routes like this are ok). # Default: NO if there are overlapping routes, YES if there aren't. #SPOOFBLOCKS="YES" #Future: allow non-verbose operation? Not used as of 0.13.0. # Default: YES #VERBOSE="YES" #Not tested yet, but give it a try if you want all packets #from blocked protocols or hosts to be logged. You should not #enable this during the learning process - wait until after. #LOGBLOCKS="-l" #POISONPROTOCOLS="" #treat these as blockedhost machines from now on and append #to masonrc as BLOCKEDHOSTS... :-) Hmmm.... ##SYSTEMRULEFILE="${MASONDIR}systemrules" #----------------------------------------------------------- # Deprecated #----------------------------------------------------------- ##Note - NAMECACHE support has been disabled. ##THIS SECTION WILL BE DELETED. ##NAMECACHE _could_ be /etc/hosts, but this was really intended to be a ##local cache for Mason only. This really should be in some directory like ##/var/lib/mason. ##NAMECACHE="${MASONDIR}morehosts" ##Note - Mason no longer supports additional services files. You need to ##make sure /etc/services holds all your protocols. ##THIS SECTION WILL BE DELETED. ##These files, in /etc/services format, hold additional ports that may ##not be defined in the stock /etc/services. If you would prefer to ##use just the services in your own /etc/services, uncomment the ##first line. Your /etc/services entries always take precedence over ##any entries in moreservices. If you choose not to use the moreservices ##file, make _sure_ your /etc/services has _all_ the protocols you might ##use. ssh, portmapper, nfs, and nfs mount services are especially ##crucial. Default is just /etc/services. ##SERVICES="/etc/services" ##SERVICES="/etc/services ${MASONDIR}nmap-services ${MASONDIR}moreservices" ##Obsoleted - do not use any more. If you have made any manual changes to ##this file, please transfer the contents to the NETWORKS variable below. ##NETCACHE="${MASONDIR}netconvert" #Copyleft: # Mason interactively creates a Linux packet filtering firewall. # Copyright (C) 1998-2000 William Stearns # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. # # The author can also be reached at: # William Stearns #email: wstearns@pobox.com (preferred) #web: http://www.stearns.org/mason/ #snail: 6 Manchester Dr. # Lebanon NH, 03766