If you're looking for the HTML::Mason Perl Module, try here.

Current version - 0.13.0, 0.13.1 under development.

Introduction

"If you have not checked out Mason, I highly recommend it. Mason is a Linux based firewall, but none like you've ever used.

In short, you put Mason into learning mode and run the services to the Internet you wish to support. Mason will then take these log entries and turn them into a set of packet filtering rules. Pretty cool eh? No ACK compliment rules to worry about, no "what was that service port again?" decisions to worry about, simply plug it in, let it learn and off you go. :)"

- - Chris Brenton, cbrenton@sover.net

Mason is a tool that interactively builds a firewall using Linux' ipfwadm or ipchains firewalling. You leave mason running on the firewall machine while you are making all the kinds of connections that you want the firewall to support (and want it to block). Mason gives you a list of firewall rules that exactly allow and block those connections.

Mason was specifically designed to make it possible for anyone with the ability to generally find their way around a Linux system to build a reasonably good packet filtering firewall for any and every system under their control. It takes care of all the low level grunt work; all you need to do is follow the instructions and be able to run all the TCP/IP applications that need to be supported.

The real work of the package is done by the mason script. Its job is to convert the log entries that the Linux kernel produces into ipfwadm or ipchains commands that you can use in your own firewall.

In order to make it easy to use, I have included a rudimentary tool called mason-gui-text. It's a very simple shell that handles the setup and creation process for those that want to be led through the process. It would sincerely like to see it replaced with a nicer interface.

News

My hat is off to Rusty, who has done it again. I've gotten netfilter running on 2.3.x and I'm really impressed. When I insert the ipfwadm module, Mason runs just fine. When I insert ipchains.o, hey, Mason runs just fine. I haven't tried all the features, but this is going to make debugging Mason much easier. And hey, it looks like its going to be in 2.4.x!

In preparation for 0.13.1, the documentation has gotten a lot of work. I've merged a bunch of stuff into a main SGML file which can be viewed in .txt or .html format. I'm glad to say the documentation is finally usable again.

Disclaimers

I've included a copy of the disclaimers. Like all GNU programs:

This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
GNU General Public License for more details.

Unfortunately, because this program is so deeply involved in the security of the systems on which it is run, I need to add this disclaimer as well:

        This program offers an aid to creating firewall rules.  It offers
ABSOLUTELY NO intelligence in deciding what should be allowed or
disallowed.  It has ABSOLUTELY NO ability to understand your security
policy and implement it.  YOU are responsible for reviewing the rules and
massaging them to fit your needs.
        While the documentation in mason.txt attempts to provide some
general guidelines on how to use Mason, please remember:  the author has
no knowledge of what you want your firewall to do and has not tailored the
documentation or program to specially fit your needs.  If there is ever a
discrepancy between your needs and the program output or your needs and
the documentation, the program and/or documentation are _dead_ _wrong_.

Downloading and installing

Here are the various versions available for download, most recent at the top.

Mason-0.13.0.92 developers release (tar, noarch rpm, src rpm).

If you've had trouble with Mason crashing, please give this release a try. I think I've finally found the right way to tell Mason to exit, and I'm catching the rest of the otherwise harmless return codes. 0.13.0.92 is good enough that I'd suggest it over any previous version.

I've started a regression test suite for Mason. While not terribly useful to most users, it does help with quality control; it's harder for me to introduce errors.

Mason now gives a single warning if it sees non-tcp/udp/icmp protocols when working with ipfwadm.
Mason-0.13.0.90 developers release (tar, noarch rpm, src rpm).

New to this release: A large number of backdoor ports that can be automatically blocked in masonrc, bug fixes for dynamic address support, complete restructuring of the documentation (now in .sgml, viewable in .txt and .html), minor fixes, bugfix for NOOUTGOING icmp subcode support, NOOUTGOING tcp protocols automatically test for the SYN flag, first fragments of iptables support (as of 9/26/99, this is not functional).
Mason-0.13.0 final release (tar, noarch rpm, src rpm).

New to this release: automatically makes masq rules for reserved addresses, icmp subcodes, support for ip tunneling and a number of other protocols, removal of the namecache (no longer needed), mason now stops logging packets quickly while it does the main processing, stop using ipcalc to calculate broadcast, don't touch /etc/hosts or /etc/services, more Debian integration and two man pages (Thanks, Jeff!), support for ipchains-save output format, support for --sport and --dport (Thanks, Rusty!), some documentation updates, the ability to add packet counts to each rule, sorting the most commonly used rules to the top, misc. bug fixes and performance improvements, fixes to the Cisco output format, the ability to generalize the ack rules for tcp connections, cutting 25%-35% of the rules (Use at your own risk for the moment - this needs to be checked), an internal checkpointing ability to help in debugging, Mason can find the smallest subnet that encompasses the ips found on a dynamic interface and no_outgoing_ protocols.

Support for ipchains -Lnxv input format was planned, but scrapped when I realized there was an easier way to get packet counts into Mason.

Known bug: Mason occasionally exits during the course of normal operation. It complains on the way out that it has "crashed", when the exit was intentional. I'm still working with the trap logic to stop it from complaining when it shouldn't.
Mason-0.12.0 (tar, noarch rpm, src rpm). Mason now has an output option for Cisco IOS access-list rules. It still needs to run on a Linux system, but can provide output useable in a Cisco router. I don't have a Cisco router here, though; please let me know if it works or doesn't.

The Mason package now includes some additional "services" files. If you choose, Mason can automatically pull services from these files if your /etc/services file is missing them. Many thanks to the guys who wrote nmap for the nmap-services file.

Ironically, I do not suggest you use these as they are too complete; Mason may actually have trouble generalizing its rules because everything looks like a server port.
Mason-0.11.1 (tar, noarch rpm, src rpm). Ipfwadm hadn't been tested in a while; thanks to Rich who pointed out that it, ahem, didn't work at all. Two typos and it's doing much better now.
I also added TOS (Type Of Service) flag setting to this version. That, in theory, should help interactive performance on slow links with lots of bulk traffic. I also added the ability to completely block individual IP's or entire subnets.
Mason-0.11.0 (tar, noarch rpm, src rpm) Generally functional. Now it has an rpm version.
mason-0.11.0-beta3.tar.gz Mostly reorganization, but some bug fixes too. Better support for ipfwadm - it probably works now. I can't test it because I don't run 2.0 kernels at this point. Any feedback?
mason-0.11.0-beta2.tar.gz Mason has undergone serious surgery. The documentation is horribly out of date. Nonetheless, the functionality is there. Download this, open it up, run "make install", briefly edit /etc/masonrc, and run mason-gui-text. "base" rules are the permanent, approved rules that get run at boot time. "new" rules are only used during the firewall creation process. When you're happy with a "new" rule, put something like #APPROVED at the end and use the "merge rules" feature to carry them over to the "base" set. That's the 2 cent tour - let me know what you find is broken. I already know the ipfwadm stuff is lagging so far behind ipchains as to be unusable in this release - sorry. Despite that, the new stuff in Mason is well worth it...grin...
mason-0.11.0-beta1.tar.gz
mason-0.11.0-alpha1.tar.gz
mason-0.10.0-beta3.tar.gz The 0.9 and 0.10 versions handle ipchains, but as of 0.10.0-beta3, the documentation does not fully reflect the functionality.
mason-0.10.0-beta2.tar.gz
mason-0.10.0-beta1.tar.gz
mason-0.9.1-beta1.tar.gz
mason-0.9.0-beta2.tar.gz
mason-0.9.0-beta1.tar.gz
mason-0.7.9.tar.gz Versions up to and including 0.7.9 handle only ipfwadm input, kernels and output.
mason-0.7.0.tar.gz
mason-0.6.9.tar.gz
mason.0.6.0
mason.0.5.0 Versions up to and including 0.6.0 are just a single shell script.

Here's how to install:

Download the above tar file to /usr/src
cd /usr/src
tar -xzvf mason-version.tar.gz
cd mason-version
make install
Follow the quickstart section in mason.txt

Here are the individual files you can download. These files may be newer than the ones in the packages above; if so, they are here as prerelease version for those who want to be on the bleeding edge.

COPYING The GNU General Public License.
Makefile Used in packaging and distribution.
baserulesThe baserules file is one of two files (see newrules) that hold your firewall rules. baserules holds the rules that you've checked over and are sure should be part of your final firewall.
baserules.sample A few possible rules for use as a starting point.
firewall The boot time script for use in /etc/rc.d/init.d.
index.html The Mason web page.
mason The actual mason script.
mason-gui-text The rudimentary interface to running Mason and building a firewall.
mason-gui-text.1 man page for mason-gui-text.
mason.1 man page for mason.
mason.spec The RPM spec file.
mason.lsm The Linux Software Map entry.
mason.sgml The primary documentation for the package. The sgml format is designed to allow easy conversion to more readable formats.
mason.html The primary documentation for the package, in hypertext.
mason.txt The primary documentation for the package, in a flat text file.
masonlib A library of functions used by a number of the other files.
masonrc The main configuration file. There are intelligent defaults for all of these fields.
moreservices The services file I use, good as a reference if you don't recognize a protocol.
nmap-services The additional services file includes with the nmap tool. An even better reference.
newrules newrules is the other file that holds firewall rules. It holds rules created by mason that you haven't looked over yet. Think about what would happen if you were port scanned while Mason was running; if you only had one file to hold rules, all of these portscan rules you don't want would be mixed in with the rules you do want.
An important note - rules in newrules are not part of your regular firewall - they are only used during the learning process. This is why you need to merge rules from newrules to baserules once you're sure of them.
regression-test The shell script test suite for some of the parts of the package. Contributions welcome.

Most of the files in the Mason package are Copyright (c) 1998, 1999 by William Stearns wstearns@pobox.com or Jeff Licquia. They are released under the GNU GPL, which is included in the package. If you did not recieve a copy of this license, please contact the author for a copy (see the top of the Mason script for contact information for the author and the Free Software Foundation).

Last edited: 9/26/99

Best viewed with something that can show web pages... <grin>