File: index.html

package info (click to toggle)
mason 1.0.0-12.2
  • links: PTS
  • area: main
  • in suites: squeeze
  • size: 1,952 kB
  • ctags: 130
  • sloc: sh: 4,147; makefile: 135
file content (426 lines) | stat: -rw-r--r-- 23,786 bytes parent folder | download | duplicates (6)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
<html>
<head>
<title>Mason - the automated firewall builder for Linux</title>
<META NAME="keywords" CONTENT="firewall, Linux, packet, filter, ipfwadm, ipchains, automated, rules, iptables, netfilter, builder">
</head>
<body>

<center><img src="mason-banner.gif"></center>

<p>If you're looking for the HTML::Mason Perl Module, try <a href="http://www.masonhq.com">here</a>.</p>

<h1>Current version - 1.0.0 *smile*</h1>

<hr>

<h1>(Unsolicited) Reviews</h1>

<p>"If you have not checked out Mason, I highly recommend it. Mason is a
Linux based firewall, but none like you've ever used.</p>
<p>In short, you put Mason into learning mode and run the services to the
Internet you wish to support. Mason will then take these log entries and
turn them into a set of packet filtering rules. Pretty cool eh? No ACK
compliment rules to worry about, no "what was that service port again?"
decisions to worry about, simply plug it in, let it learn and off you
go. :)"</p>

<p>- - Chris Brenton, cbrenton@sover.net</p>

<p>"Tonight I tried out your Mason package and I got to tell you it is the
best thing I have seen in a long time. I tried it on a test machine
and it worked flawlessly. Usually things are fun for novelty reasons
but this thing is awesome! Me and my colleagues are always setting up
some type of firewall and I am going to blow them away with this one.
Problem with firewalls is one always forgets a policy, port, etc...
especially being a field computer person, with Mason it pretty much
takes care of most of the work for you.</p>

<p>All I can say is I cant tell you how cool this is.</p>

<p>- - Richard Lo, richardlo@visto.com</p>


<p>We just recently retooled our firewall as it was in bad shape.  I want
to put the word about the Mason firewall package which automatically
writes ipchain rules for you.  Without Mason, we would still be
struggling with our firewall.  I highly recommend using it to implement
some rudimentary security on stand-alone RedHat Linux systems that are
continuously connected to the web.</p>

<p>- - real-life, paranoid, pressed for time, system administrator who prefers
to remain anonymous, well, because (s)he's paranoid</p>

<p>Well, I played with it for quite a while, and I liked the results. This
version is very robust, and the learning curve is simply amazing, so it's
really a recommended tool for newbies.</p>

<p>- - Aviram Jenik, aviram@beyondsecurity.com,
<a href="http://www.SecuriTeam.com">http://www.SecuriTeam.com</a></p>

<p>It's been a major pain in the ass trying to configure my RedHat 6.0 firewall
at home using ipfwadm and the other standard Linux tools.  So it was with
some doubt that I installed Mason on my RedHat 6.0 firewall, expecting
nothing useful to come of it.  I was rather shocked to find Mason quickly
emitting lists of real-world, usable rules, and making them actually work
with my fairly complex system requirements.  (I want ftp, telnet, RealAudio,
Quake, HalfLife, netnews, and I want it all to be perfectly secure! ;) )  I
am completely sold on Mason.  Congrats on making the first firewall tool in
the true spirit of Linux; it should be part of every distribution.</p>

<p>- - John Byrd, johnbyrd@pacbell.net</p>


<hr>

<h1>Introduction</h1>

<p>Mason is a tool that interactively builds a firewall using Linux' 
ipfwadm or ipchains firewalling.  You leave mason running on the firewall
machine while you are making all the kinds of connections that you 
want the firewall to support (and want it to block).  Mason gives you 
a list of firewall rules that exactly allow and block those connections.</p>

<p>Mason was specifically designed to make it possible for anyone with 
the ability to generally find their way around a Linux system to build a 
reasonably good packet filtering firewall for any and every system under their 
control.  It takes care of all the low level grunt work; all you need to do is 
follow the instructions and be able to run all the TCP/IP applications that 
need to be supported.</p>

<p>The real work of the package is done by the <i>mason</i> script.  Its job is 
to convert the log entries that the Linux kernel produces into ipfwadm or 
ipchains commands that you can use in your own firewall.</p>

<p>In order to make it easy to use, I have included a rudimentary tool
called <i>mason-gui-text</i>.  It's a very simple shell that handles the 
setup and creation process for those that want to be led through the 
process.  I would sincerely <i>like</i> to see it replaced with a nicer 
interface.

<hr>

<h1>News</h1>
<h3>5/12/02</h3>
<p>We've been stable for a long time.  Time for 1.0.0. :-)</p>


<h3>9/16/01</h3>
<p>Minor release to accomodate the fact that the "sam" package had to be
renamed to "samlib".</p>

<h3>8/7/01</h3>
<p>Thanks to all who've reminded me that 0.13.9.3 doesn't get along well
with newer glibc's.  Someone decided to rename a signal and it causes no
end of problems.</p>
<p>A number of the functions Mason depends on are shared with other bash
apps.  I've put together a shared library of bash functions for these
applications with a goal of formal verification for each function.  
Mason now requires the "sam" library to run; this library can be found at
<a href="ftp://ftp.stearns.org/">ftp://ftp.stearns.org/</a> as well.  Simply
install the sam rpm or tar first.

<p>Thanks to <a href="mailto:steve.wray@the.net.nz">Steve Wray</a> for the 
awk only replacement for an awk/grep/sed combination in older versions.</p>
<p>Minor fixes.</p>
<p>Baiju Thakkar deserves a large <b>THANKS!</b> for updating the web site.
You'll see the new content once we work out a few more details.</p>


<h2>10/25/00</h2>
<p>I've gotten the iptables code in 0.13.9.3 to the point where it's generally working.
A few notes:
<ul>
<li>Load all the iptables modules before starting.
<li>Put your masq rule in by hand in /var/lib/mason/baserules.  I have a sample
there ready to be uncommented.
<li>I will no longer support cross-creation of rules, I.e. creating an ipfwadm
firewall on an iptables system.  It used to be generally doable between
ipfwadm and ipchains, but the differences between iptables and its predecessors
make this too much work to be useful.
</ul>
<p>By the way, the "live learning" process seems to be rather good.  Give it a try,
<b>especially</b> if you've had trouble with Mason crashing in the past.  The 
live learning bypasses the backgrounding that used to be required, hopefully 
putting the crashes permanently to bed.  I have my fingers crossed.</p>
<p>The menus look a lot better now.</p>


<h2>11/21/99</h2>
<p>The exciting new project is the ability to decide what to do with a 
rule while the learning process is going on.  Now, when a new rule shows up, 
you can instantly decide to commit it to baserules, discard it, change it, etc.
<i>mason-decide</i> is not complete, but it's functional enough that I'm 
making it available for testing.  If you like the old behavior of throwing 
all the rules into newrules for later editing, change:
<code>if /bin/false ; then</code>
in mason-gui-text to:
<code>if /bin/true ; then</code>
</p>

<p>As a followup to the following, mason has some iptables functionality
now.  I have the base code functioning to the point that I can actually
build an iptables firewall with it.</p>

<p>Please note that it is most definitely <i>not</i> complete.  If you're
masquerading, you need to put the masquerading rule in baserules before 
you start mason-gui-test (baserules.sample has been updated to include 
iptables masquerading).

<p>mason-1999112101 is _only_ available at
<a href="ftp://mason.stearns.org">ftp://mason.stearns.org</a> - this
will soon be the master web and ftp site for the project.

<h2>9/x/99</h2>
<p>My hat is off to Rusty, who has done it again.  I've gotten netfilter 
running on 2.3.x and I'm <i>really</i> impressed.  When I insert
the ipfwadm module, Mason runs just fine.  When I insert ipchains.o, 
hey, Mason runs just fine.  I haven't tried all the features, but 
this is going to make debugging Mason <i>much</i> easier.
And hey, it looks like its going to be in 2.4.x!</p>

<p>In preparation for 0.13.1, the documentation has gotten a <i>lot</i>
of work.  I've merged a bunch of stuff into a main SGML file which can be 
viewed in .txt or .html format.  I'm glad to say the documentation is 
finally usable again.</p>

<h2>3/9/99</h2>
<p>I have gotten a number of contributions from people - many thanks.
I'll have a real contributions section later, but for the moment:</p>

<ul>
<li><a href="gmader-prep.html">Greg Mader's writeup</a> on proxyarp in a firewall.
<li><a href="http://www.pobox.com/~rsg/projects/linux/mason/">Rob Goldstein's auxiliary scripts</a> for Mason.
<li><a href="http://www.govirtual.com.au/gfcc+mason.html">Mark Turner's writeup on gfcc+Mason</a>
</ul>

<h2>3/8/99</h2>
<p>The Mason mailing lists are now live.  There are three lists:</p>

<table>
<tr><th>List</th><th>Description</th><th>How to subscribe</th></tr>
<tr>
<td>mason-announce</td>
<td>This list is an announcements-only list.  It will generally be limited to
new version announcements for the Mason firewall builder, but may also
include announcements related to Mason from time to time.  It is a low
volume list and is moderated.</td>
<td>send mail to <a href="mailto:majordomo@ists.dartmouth.edu">majordomo@ists.dartmouth.edu</a> with "subscribe mason-announce" in the body.</td>
</tr>
<tr>
<td>mason-help</td>
<td>This unmoderated list is for general discussion of all topics related to
the Mason firewall builder.  On-topic discussion includes bug reports,
questions, feature requests, suggestions, and questions about operating
Mason.  General packet filtering, firewall, Linux, networking, kernel,
ipfwadm, ipchains, netfilter, and iptables questions are considered on-topic
as well.</td>
<td>send mail to <a href="mailto:majordomo@ists.dartmouth.edu">majordomo@ists.dartmouth.edu</a> with "subscribe mason-help" in the body.</td>
</tr>
<tr>
<td>mason-devel</td>
<td>This is a discussion list for the people involved in the development of
the Mason firewall builder and related projects.  Issues about code,
patches, packaging issues, distribution, and general communication
between developers are considered on-topic.  You should get in touch with
Bill Stearns (wstearns@pobox.com) before subscribing and let him know what
area of development interests you.</td>
<td>send mail to <a href="mailto:majordomo@ists.dartmouth.edu">majordomo@ists.dartmouth.edu</a> with "subscribe mason-devel" in the body.</td>
</tr>
<i>Note that the old "geek-speak.net" addresses are no longer valid.  The lists
have been moved to ists.dartmouth.edu.</i>

</table>

<hr>

<h1>Disclaimers</h1>

<p>I've included a copy of the disclaimers.  Like all GNU programs:</p>
<pre>
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
GNU General Public License for more details.
</pre>
<p>Unfortunately, because this program is so deeply involved in the security of the systems 
on which it is run, I need to add this disclaimer as well:</p>
<pre>
        This program offers an aid to creating firewall rules.  It offers
ABSOLUTELY NO intelligence in deciding what should be allowed or
disallowed.  It has ABSOLUTELY NO ability to understand your security
policy and implement it.  YOU are responsible for reviewing the rules and
massaging them to fit your needs.
        While the documentation in mason.txt attempts to provide some
general guidelines on how to use Mason, please remember:  the author has
no knowledge of what you want your firewall to do and has not tailored the
documentation or program to specially fit your needs.  If there is ever a
discrepancy between your needs and the program output or your needs and
the documentation, the program and/or documentation are _dead_ _wrong_.
</pre>

<hr>

<h1><a name=download>Downloading</a> and <a name=changelog>installing</a></h1>

<p>Here are the various versions available for download, most recent at the top.
<ul>
<li><p>Mason-1.0.0 release (<a href="mason-1.0.0.tar.gz">tar</a>, 
<a href="mason-1.0.0-1.noarch.rpm"><b>noarch rpm</b></a>, 
<a href="mason-1.0.0-1.src.rpm">src rpm</a>).</p>
<li><p>Mason-0.13.9.5 prerelease (<a href="mason-0.13.9.5.tar.gz">tar</a>, 
<a href="mason-0.13.9.5-1.noarch.rpm"><b>noarch rpm</b></a>, 
<a href="mason-0.13.9.5-1.src.rpm">src rpm</a>).</p>
<li><p>Mason-0.13.9.4 prerelease (<a href="mason-0.13.9.4.tar.gz">tar</a>, 
<a href="mason-0.13.9.4-1.noarch.rpm"><b>noarch rpm</b></a>, 
<a href="mason-0.13.9.4-1.src.rpm">src rpm</a>).</p>
<li><p>Mason-0.13.9.3 prerelease (<a href="mason-0.13.9.3.tar.gz">tar</a>, 
<a href="mason-0.13.9.3-0.noarch.rpm"><b>noarch rpm</b></a>, 
<a href="mason-0.13.9.3-0.src.rpm">src rpm</a>).</p>
<li><p>Mason-0.14.1 developers releases - see the News above and 
<a href="ftp://mason.stearns.org/pub/mason">ftp://mason.stearns.org/pub/mason</a>.</p>
<li><p>Mason-0.13.0.92-1 debian release (<a href="mason_0.13.0.92-1_all.deb">deb</a>.  This
is functionally the same as 0.13.0.92, but packaged as a .deb.
Many thanks to Jeff Licquia.</p>
<li><p>Mason-0.13.0.92 stable release (<a href="mason-0.13.0.92.tar.gz">tar</a>, 
<a href="mason-0.13.0.92-0.noarch.rpm"><b>noarch rpm</b></a>, 
<a href="mason-0.13.0.92-0.src.rpm">src rpm</a>).</p>
<p>If you've had trouble with Mason crashing, please give this release a try.  I
<i>think</i> I've finally found the right way to tell Mason to exit, and I'm catching
the rest of the otherwise harmless return codes.  0.13.0.92 is good enough that
I'd suggest it over any previous version.</p>
<p>I've started a regression test suite for Mason.  While not terribly useful to 
most users, it does help with quality control; it's harder for me to introduce errors.</p>
<p>Mason now gives a single warning if it sees non-tcp/udp/icmp protocols when 
working with ipfwadm.</p>
<li><p>Mason-0.13.0.90 developers release (<a href="mason-0.13.0.90.tar.gz">tar</a>, 
<a href="mason-0.13.0.90-0.noarch.rpm"><b>noarch rpm</b></a>, 
<a href="mason-0.13.0.90-0.src.rpm">src rpm</a>).</p>
<p>New to this release:  A large number of backdoor ports that can be automatically
blocked in masonrc, bug fixes for dynamic address support, complete restructuring
of the documentation (now in .sgml, viewable in .txt and .html), minor fixes, 
bugfix for NOOUTGOING icmp subcode support, NOOUTGOING tcp protocols automatically 
test for the SYN flag, first fragments of iptables support (as of 9/26/99, this is 
<i>not</i> functional).</p>
<li><p>Mason-0.13.0 final release (<a href="mason-0.13.0-final.tar.gz">tar</a>, 
<a href="mason-0.13.0-2.noarch.rpm"><b>noarch rpm</b></a>, 
<a href="mason-0.13.0-2.src.rpm">src rpm</a>).</p>
<p>New to this release:  
automatically makes masq rules for reserved addresses, icmp subcodes, 
support for ip tunneling and a number of other protocols, removal of the namecache (no longer needed), 
mason now stops logging packets quickly while it does the main processing, stop using ipcalc to calculate 
broadcast, don't touch /etc/hosts or /etc/services, more Debian integration and two man pages (Thanks, Jeff!), 
support for ipchains-save output format, support for --sport and --dport (Thanks, Rusty!), some documentation updates, 
the ability to add packet counts to each rule, sorting the most commonly used rules to the top,  
misc. bug fixes and performance improvements, fixes to the Cisco output format, the ability to 
generalize the ack rules for tcp connections, cutting 25%-35% of the rules (<i>Use at your own risk for the 
moment - this needs to be checked</i>), an internal checkpointing ability to help in debugging, 
Mason can find the smallest subnet that encompasses the ips found on a dynamic interface 
and no_outgoing_ protocols.  </p>
<p>Support for ipchains -Lnxv input format was planned, but scrapped when I realized there was an easier
way to get packet counts into Mason.</p>
<p>Known bug: Mason occasionally exits during the course of normal operation.  It complains on the 
way out that it has "crashed", when the exit was intentional.  I'm still working with the 
trap logic to stop it from complaining when it shouldn't.</p>
<li>Mason-0.12.0 (<a href="mason-0.12.0.tar.gz">tar</a>, <a href="mason-0.12.0-1.noarch.rpm"><b>noarch rpm</b></a>, 
<a href="mason-0.12.0-1.src.rpm">src rpm</a>).  Mason now has an output option for Cisco IOS access-list
rules.  It still needs to run on a Linux system, but can provide output useable in a Cisco router.  I don't have a 
Cisco router here, though; please let me know if it works or doesn't.</p>
<p>The Mason package now includes some additional "services" files.  If you choose, Mason can automatically 
pull services from these files if your /etc/services file is missing them.  Many thanks to the guys who 
wrote nmap for the nmap-services file.</p>
<p>Ironically, I do not suggest you use these as they are too complete; Mason may actually have trouble 
generalizing its rules because <i>everything</i> looks like a server port.</p>

<li>Mason-0.11.1 (<a href="mason-0.11.1.tar.gz">tar</a>, <a href="mason-0.11.1-1.noarch.rpm">noarch rpm</a>, 
<a href="mason-0.11.1-1.src.rpm">src rpm</a>).  Ipfwadm hadn't been tested in a while; thanks to Rich
who pointed out that it, ahem, didn't work at all.  Two typos and it's doing much better now.<p>
I also added TOS (Type Of Service) flag setting to this version.  That, in theory, should help interactive
performance on slow links with lots of bulk traffic.  I also added the ability to completely block individual
IP's or entire subnets.
<li>Mason-0.11.0 (<a href="mason-0.11.0.tar.gz">tar</a>, <a href="mason-0.11.0-1.noarch.rpm">noarch rpm</a>, 
<a href="mason-0.11.0-1.src.rpm">src rpm</a>) Generally functional.  Now it has an rpm version.
<li><a href="mason-0.11.0-beta3.tar.gz">mason-0.11.0-beta3.tar.gz</a>  Mostly reorganization, but some bug fixes too.  Better
support for ipfwadm - it probably works now.  I can't test it because I don't run 2.0 kernels at this point.  Any feedback?
<li><a href="mason-0.11.0-beta2.tar.gz">mason-0.11.0-beta2.tar.gz</a>  Mason has undergone serious surgery.  The 
documentation is horribly out of date.  Nonetheless, the functionality is there.  Download this, open it up, 
run "make install", briefly edit /etc/masonrc, and run mason-gui-text.  "base" rules are the permanent, approved
rules that get run at boot time.  "new" rules are only used during the firewall creation process.  When you're 
happy with a "new" rule, put something like #APPROVED at the end and use the "merge rules" feature to carry them over to 
the "base" set.  That's the 2 cent tour - let me know what you find is broken.  I already know the ipfwadm stuff is lagging
so far behind ipchains as to be unusable in this release - sorry.  Despite that, the new stuff in Mason is <b>well</b> 
worth it...grin...
<li><a href="mason-0.11.0-beta1.tar.gz">mason-0.11.0-beta1.tar.gz</a>
<li><a href="mason-0.11.0-alpha1.tar.gz">mason-0.11.0-alpha1.tar.gz</a>
<li><a href="mason-0.10.0-beta3.tar.gz">mason-0.10.0-beta3.tar.gz</a>  The 0.9 and 0.10 versions handle ipchains, but 
as of 0.10.0-beta3, the documentation does not fully reflect the functionality.
<li><a href="mason-0.10.0-beta2.tar.gz">mason-0.10.0-beta2.tar.gz</a>
<li><a href="mason-0.10.0-beta1.tar.gz">mason-0.10.0-beta1.tar.gz</a>
<li><a href="mason-0.9.1-beta1.tar.gz">mason-0.9.1-beta1.tar.gz</a>
<li><a href="mason-0.9.0-beta2.tar.gz">mason-0.9.0-beta2.tar.gz</a>
<li><a href="mason-0.9.0-beta1.tar.gz">mason-0.9.0-beta1.tar.gz</a>
<li><a href="mason-0.7.9.tar.gz">mason-0.7.9.tar.gz</a> Versions up to and including 0.7.9 handle only ipfwadm
input, kernels and output.
<li><a href="mason-0.7.0.tar.gz">mason-0.7.0.tar.gz</a>
<li><a href="mason-0.6.9.tar.gz">mason-0.6.9.tar.gz</a>
<li><a href="mason.0.6.0">mason.0.6.0</a> 
<li><a href="mason.0.5.0">mason.0.5.0</a> Versions up to and including 0.6.0 are just a single shell script.
</ul>

<p>Here's how to install:
<ul>
<li>Download the above tar file to /usr/src
<li>cd /usr/src
<li>tar -xzvf mason-<i>version</i>.tar.gz
<li>cd mason-<i>version</i>
<li>make install
<li>Follow the quickstart section in mason.txt
</ul>

<p>Here are the individual files you can download.  These files may be newer than the ones 
in the packages above; if so, they are here as prerelease version for those who want to
be on the bleeding edge.</p>
<ul>
<li><a href="COPYING">COPYING</a> The GNU General Public License.
<li><a href="Makefile">Makefile</a> Used in packaging and distribution.
<li><a href="baserules">baserules</a>The baserules file is one of two files (see newrules) that hold your firewall rules.  
baserules holds the rules that you've checked over and are sure should be part of your final firewall.
<li><a href="baserules.sample">baserules.sample</a> A few possible rules for use as a starting point.
<li><a href="firewall">firewall</a> The boot time script for use in /etc/rc.d/init.d.
<li><a href="index.html">index.html</a> The Mason web page.
<li><a href="mason">mason</a> The actual mason script.
<li><a href="mason-gui-text">mason-gui-text</a> The rudimentary interface to running Mason and building a firewall.
<li><a href="mason-gui-text.1">mason-gui-text.1</a> man page for mason-gui-text.
<li><a href="mason.1">mason.1</a> man page for mason.
<li><a href="mason.spec">mason.spec</a> The RPM spec file.
<li><a href="mason.lsm">mason.lsm</a> The Linux Software Map entry.
<li><a href="mason.sgml">mason.sgml</a> The primary documentation for the package.  The sgml format is designed to allow
easy conversion to more readable formats.
<li><a href="mason.html">mason.html</a> The primary documentation for the package, in hypertext.
<li><a href="mason.txt">mason.txt</a> The primary documentation for the package, in a flat text file.
<li><a href="masonlib">masonlib</a> A library of functions used by a number of the other files.
<li><a href="masonrc">masonrc</a> The main configuration file.  There are intelligent defaults for all of these fields.
<li><a href="moreservices">moreservices</a> The services file I use, good as a reference if you don't recognize a protocol.
<li><a href="nmap-services">nmap-services</a> The additional services file includes with the nmap tool.  An even better reference.
<li><a href="newrules">newrules</a> newrules is the other file that holds firewall rules.  It holds rules created by mason
that you haven't looked over yet.  Think about what would happen if you were port scanned while Mason was running; if you only 
had one file to hold rules, all of these portscan rules you don't want would be mixed in with the rules you do want.
<p>An important note - rules in newrules are <em>not</em> part of your regular firewall - they are only used during the
learning process.  This is why you need to merge rules from newrules to baserules once you're sure of them.
<li><a href="regression-test">regression-test</a> The shell script test suite for some of the parts of the package.  Contributions welcome.
</ul>

<hr>

<h1>Credits</h1>

<p>Most of the files in the Mason package are Copyright (c) 1998-2001 by 
William Stearns <a href="mailto:wstearns@pobox.com">wstearns@pobox.com</a> or 
<a href="mailto:jeff@luci.org">Jeff Licquia</a>.  They are 
released under the <a href="COPYING">GNU GPL</a>, which is included in the package.  If you did not recieve a 
copy of this license, please contact the author for a copy (see the top of the Mason 
script for contact information for the author and the Free Software Foundation).</p>

<p><i>Last edited: 5/12/02</i></p>
<p><i>Best viewed with something that can show web pages... &lt;grin&gt;</i></p>
</body>
</html>