If you're looking for the HTML::Mason Perl Module, try here.
"If you have not checked out Mason, I highly recommend it. Mason is a Linux based firewall, but none like you've ever used.
In short, you put Mason into learning mode and run the services to the Internet you wish to support. Mason will then take these log entries and turn them into a set of packet filtering rules. Pretty cool eh? No ACK compliment rules to worry about, no "what was that service port again?" decisions to worry about, simply plug it in, let it learn and off you go. :)"
- - Chris Brenton, firstname.lastname@example.org
"Tonight I tried out your Mason package and I got to tell you it is the best thing I have seen in a long time. I tried it on a test machine and it worked flawlessly. Usually things are fun for novelty reasons but this thing is awesome! Me and my colleagues are always setting up some type of firewall and I am going to blow them away with this one. Problem with firewalls is one always forgets a policy, port, etc... especially being a field computer person, with Mason it pretty much takes care of most of the work for you.
All I can say is I cant tell you how cool this is.
- - Richard Lo, email@example.com
We just recently retooled our firewall as it was in bad shape. I want to put the word about the Mason firewall package which automatically writes ipchain rules for you. Without Mason, we would still be struggling with our firewall. I highly recommend using it to implement some rudimentary security on stand-alone RedHat Linux systems that are continuously connected to the web.
- - real-life, paranoid, pressed for time, system administrator who prefers to remain anonymous, well, because (s)he's paranoid
Well, I played with it for quite a while, and I liked the results. This version is very robust, and the learning curve is simply amazing, so it's really a recommended tool for newbies.
- - Aviram Jenik, firstname.lastname@example.org, http://www.SecuriTeam.com
It's been a major pain in the ass trying to configure my RedHat 6.0 firewall at home using ipfwadm and the other standard Linux tools. So it was with some doubt that I installed Mason on my RedHat 6.0 firewall, expecting nothing useful to come of it. I was rather shocked to find Mason quickly emitting lists of real-world, usable rules, and making them actually work with my fairly complex system requirements. (I want ftp, telnet, RealAudio, Quake, HalfLife, netnews, and I want it all to be perfectly secure! ;) ) I am completely sold on Mason. Congrats on making the first firewall tool in the true spirit of Linux; it should be part of every distribution.
- - John Byrd, email@example.com
Mason is a tool that interactively builds a firewall using Linux' ipfwadm or ipchains firewalling. You leave mason running on the firewall machine while you are making all the kinds of connections that you want the firewall to support (and want it to block). Mason gives you a list of firewall rules that exactly allow and block those connections.
Mason was specifically designed to make it possible for anyone with the ability to generally find their way around a Linux system to build a reasonably good packet filtering firewall for any and every system under their control. It takes care of all the low level grunt work; all you need to do is follow the instructions and be able to run all the TCP/IP applications that need to be supported.
The real work of the package is done by the mason script. Its job is to convert the log entries that the Linux kernel produces into ipfwadm or ipchains commands that you can use in your own firewall.
In order to make it easy to use, I have included a rudimentary tool called mason-gui-text. It's a very simple shell that handles the setup and creation process for those that want to be led through the process. I would sincerely like to see it replaced with a nicer interface.
We've been stable for a long time. Time for 1.0.0. :-)
Minor release to accomodate the fact that the "sam" package had to be renamed to "samlib".
Thanks to all who've reminded me that 0.13.9.3 doesn't get along well with newer glibc's. Someone decided to rename a signal and it causes no end of problems.
A number of the functions Mason depends on are shared with other bash apps. I've put together a shared library of bash functions for these applications with a goal of formal verification for each function. Mason now requires the "sam" library to run; this library can be found at ftp://ftp.stearns.org/ as well. Simply install the sam rpm or tar first.
Thanks to Steve Wray for the awk only replacement for an awk/grep/sed combination in older versions.
Baiju Thakkar deserves a large THANKS! for updating the web site. You'll see the new content once we work out a few more details.
I've gotten the iptables code in 0.13.9.3 to the point where it's generally working. A few notes:
By the way, the "live learning" process seems to be rather good. Give it a try, especially if you've had trouble with Mason crashing in the past. The live learning bypasses the backgrounding that used to be required, hopefully putting the crashes permanently to bed. I have my fingers crossed.
The menus look a lot better now.
The exciting new project is the ability to decide what to do with a
rule while the learning process is going on. Now, when a new rule shows up,
you can instantly decide to commit it to baserules, discard it, change it, etc.
mason-decide is not complete, but it's functional enough that I'm
making it available for testing. If you like the old behavior of throwing
all the rules into newrules for later editing, change:
if /bin/false ; then
in mason-gui-text to:
if /bin/true ; then
As a followup to the following, mason has some iptables functionality now. I have the base code functioning to the point that I can actually build an iptables firewall with it.
Please note that it is most definitely not complete. If you're masquerading, you need to put the masquerading rule in baserules before you start mason-gui-test (baserules.sample has been updated to include iptables masquerading).
mason-1999112101 is _only_ available at ftp://mason.stearns.org - this will soon be the master web and ftp site for the project.
My hat is off to Rusty, who has done it again. I've gotten netfilter running on 2.3.x and I'm really impressed. When I insert the ipfwadm module, Mason runs just fine. When I insert ipchains.o, hey, Mason runs just fine. I haven't tried all the features, but this is going to make debugging Mason much easier. And hey, it looks like its going to be in 2.4.x!
In preparation for 0.13.1, the documentation has gotten a lot of work. I've merged a bunch of stuff into a main SGML file which can be viewed in .txt or .html format. I'm glad to say the documentation is finally usable again.
I have gotten a number of contributions from people - many thanks. I'll have a real contributions section later, but for the moment:
The Mason mailing lists are now live. There are three lists:
|List||Description||How to subscribe|
|mason-announce||This list is an announcements-only list. It will generally be limited to new version announcements for the Mason firewall builder, but may also include announcements related to Mason from time to time. It is a low volume list and is moderated.||send mail to firstname.lastname@example.org with "subscribe mason-announce" in the body.|
|mason-help||This unmoderated list is for general discussion of all topics related to the Mason firewall builder. On-topic discussion includes bug reports, questions, feature requests, suggestions, and questions about operating Mason. General packet filtering, firewall, Linux, networking, kernel, ipfwadm, ipchains, netfilter, and iptables questions are considered on-topic as well.||send mail to email@example.com with "subscribe mason-help" in the body.|
|mason-devel||This is a discussion list for the people involved in the development of the Mason firewall builder and related projects. Issues about code, patches, packaging issues, distribution, and general communication between developers are considered on-topic. You should get in touch with Bill Stearns (firstname.lastname@example.org) before subscribing and let him know what area of development interests you.||send mail to email@example.com with "subscribe mason-devel" in the body.|
I've included a copy of the disclaimers. Like all GNU programs:
This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
Unfortunately, because this program is so deeply involved in the security of the systems on which it is run, I need to add this disclaimer as well:
This program offers an aid to creating firewall rules. It offers ABSOLUTELY NO intelligence in deciding what should be allowed or disallowed. It has ABSOLUTELY NO ability to understand your security policy and implement it. YOU are responsible for reviewing the rules and massaging them to fit your needs. While the documentation in mason.txt attempts to provide some general guidelines on how to use Mason, please remember: the author has no knowledge of what you want your firewall to do and has not tailored the documentation or program to specially fit your needs. If there is ever a discrepancy between your needs and the program output or your needs and the documentation, the program and/or documentation are _dead_ _wrong_.
Here are the various versions available for download, most recent at the top.
Mason-0.14.1 developers releases - see the News above and ftp://mason.stearns.org/pub/mason.
Mason-0.13.0.92-1 debian release (deb. This is functionally the same as 0.13.0.92, but packaged as a .deb. Many thanks to Jeff Licquia.
If you've had trouble with Mason crashing, please give this release a try. I think I've finally found the right way to tell Mason to exit, and I'm catching the rest of the otherwise harmless return codes. 0.13.0.92 is good enough that I'd suggest it over any previous version.
I've started a regression test suite for Mason. While not terribly useful to most users, it does help with quality control; it's harder for me to introduce errors.
Mason now gives a single warning if it sees non-tcp/udp/icmp protocols when working with ipfwadm.
New to this release: A large number of backdoor ports that can be automatically blocked in masonrc, bug fixes for dynamic address support, complete restructuring of the documentation (now in .sgml, viewable in .txt and .html), minor fixes, bugfix for NOOUTGOING icmp subcode support, NOOUTGOING tcp protocols automatically test for the SYN flag, first fragments of iptables support (as of 9/26/99, this is not functional).
New to this release: automatically makes masq rules for reserved addresses, icmp subcodes, support for ip tunneling and a number of other protocols, removal of the namecache (no longer needed), mason now stops logging packets quickly while it does the main processing, stop using ipcalc to calculate broadcast, don't touch /etc/hosts or /etc/services, more Debian integration and two man pages (Thanks, Jeff!), support for ipchains-save output format, support for --sport and --dport (Thanks, Rusty!), some documentation updates, the ability to add packet counts to each rule, sorting the most commonly used rules to the top, misc. bug fixes and performance improvements, fixes to the Cisco output format, the ability to generalize the ack rules for tcp connections, cutting 25%-35% of the rules (Use at your own risk for the moment - this needs to be checked), an internal checkpointing ability to help in debugging, Mason can find the smallest subnet that encompasses the ips found on a dynamic interface and no_outgoing_ protocols.
Support for ipchains -Lnxv input format was planned, but scrapped when I realized there was an easier way to get packet counts into Mason.
Known bug: Mason occasionally exits during the course of normal operation. It complains on the way out that it has "crashed", when the exit was intentional. I'm still working with the trap logic to stop it from complaining when it shouldn't.
The Mason package now includes some additional "services" files. If you choose, Mason can automatically pull services from these files if your /etc/services file is missing them. Many thanks to the guys who wrote nmap for the nmap-services file.
Ironically, I do not suggest you use these as they are too complete; Mason may actually have trouble generalizing its rules because everything looks like a server port.
I also added TOS (Type Of Service) flag setting to this version. That, in theory, should help interactive performance on slow links with lots of bulk traffic. I also added the ability to completely block individual IP's or entire subnets.
Here's how to install:
Here are the individual files you can download. These files may be newer than the ones in the packages above; if so, they are here as prerelease version for those who want to be on the bleeding edge.
An important note - rules in newrules are not part of your regular firewall - they are only used during the learning process. This is why you need to merge rules from newrules to baserules once you're sure of them.
Most of the files in the Mason package are Copyright (c) 1998-2001 by William Stearns firstname.lastname@example.org or Jeff Licquia. They are released under the GNU GPL, which is included in the package. If you did not recieve a copy of this license, please contact the author for a copy (see the top of the Mason script for contact information for the author and the Free Software Foundation).
Last edited: 5/12/02
Best viewed with something that can show web pages... <grin>