<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<HTML>
<HEAD>
 <META NAME="GENERATOR" CONTENT="SGML-Tools 1.0.9">
 <TITLE>The Mason HOWTO: Quickstart</TITLE>
 <LINK HREF="mason-4.html" REL=next>
 <LINK HREF="mason-2.html" REL=previous>
 <LINK HREF="mason.html#toc3" REL=contents>
</HEAD>
<BODY>
<A HREF="mason-4.html"><IMG SRC="next.gif" ALT="Next"></A>
<A HREF="mason-2.html"><IMG SRC="prev.gif" ALT="Previous"></A>
<A HREF="mason.html#toc3"><IMG SRC="toc.gif" ALT="Contents"></A>
<HR>
<H2><A NAME="quickstart"></A> <A NAME="s3">3. Quickstart</A></H2>

<P>     This document is designed to help people who are unfamiliar with 
Mason build a firewall using it.  A novice user should be able to start 
building a basic firewall using these instructions in 20 minutes. 
<HR>
<PRE>
#include &lt;disclaimer.h>
</PRE>
<HR>
<P>
<H2><A NAME="ss3.1">3.1 Make sure the system is already pretty secure.</A>
</H2>

<P>     See the Linux security sites and the Linux Administrators Security 
Guide for more info.  A strict packet filtering firewall is useless if 
someone can get root access somehow; they can just turn off the firewall.
<P>
<H2><A NAME="ss3.2">3.2 Install the Mason package</A>
</H2>

<P>     5 minutes or less.
<P>If you're using an rpm-based system, type just
<HR>
<PRE>
rpm -Uvh ftp://www.stearns.org/pub/wstearns/mason/mason-1.0.0-0.noarch.rpm
</PRE>
<HR>
<P>Otherwise, download the latest version to /usr/src, 
<HR>
<PRE>
cd /usr/src&lt;Enter>
tar -xzvf mason...tar.gz&lt;Enter>
cd mason...&lt;Enter>
make install&lt;Enter>  
</PRE>
<HR>
<P>
<H2><A NAME="ss3.3">3.3 Prepare /etc/services</A>
</H2>

<P>     Probably mostly done!
<P>Mason depends on a few setup details to be able to provide a 
firewall that works in the way you intended.  Make sure that 
/etc/services includes the server port names for all services you intend 
to work with, whether those services are running on the firewall machine 
or on some other machine.
<P>For example, if you intend to use ssh to connect to another system, 
make sure that the line
<PRE>
ssh     22/tcp
</PRE>
<P>is in /etc/services.  Entries that might be missing include:
<PRE>
ftp-data        20/tcp
ssh             22/tcp          #Secure shell
linuxconf       98/tcp
squid           3128/tcp        #Squid proxy cache requests
icp             3130/udp        #Inter Cache Protocol, used in squid
</PRE>
<P>It is not necessary to include entries for services that you 
don't use.  Also, do _not_ place entries for _client_ ports in this 
file; Mason assumes anything referenced in this file is a server port.  
For example, even though one of the client ports used for ssh is 
1022/tcp, you would _not_ place this in /etc/services.  Doing so would 
cause Mason to provide incorrect rules.
<P>If you're not sure which ports are being used as servers on the 
firewall or on other machines on your network, use the 
"netstat -an | less"
command on Linux/Unix systems and look for lines with "LISTEN".
<P>
<P>
<H2><A NAME="ss3.4">3.4 Prepare /etc/hosts</A>
</H2>

<P>     Probably mostly done!
<P>Try to place short names first.  You don't have to do this, but the
firewall will be much more readable in the end if you do.
<P>Make sure that your /etc/hosts file has at least entries for:
<UL>
<LI>locahost</LI>
<LI>the ip addresses of all interfaces on your firewall</LI>
<LI>all the networks in your routing table except 0.0.0.0.</LI>
<LI>all dns servers</LI>
<LI>any other hosts that Mason might treat specially</LI>
</UL>
<P>For example:
<PRE>
127.0.0.1               localhost
172.16.0.1              fwall-inside    bastion bastion.mydomain.org
12.13.14.15             fwall-outside
172.16.0.0              INSIDE                  #I use all caps to distinguish networks from normal IP's.
12.13.14.0              OUTSIDE
12.13.16.10             myisp-dns1
12.13.16.11             myisp-dns2
12.13.14.44             ntp             bonzo   bonzo.mydomain.org
</PRE>
<P>
<H2><A NAME="ss3.5">3.5 Prepare the routing table and interfaces</A>
</H2>

<P>     Probably already done!
<P>Mason assumes that the routing table and interfaces are set up to 
match the way the final firewall will run.  If you're running this on 
the actual firewall machine and all the interfaces and networks have 
been configured, proceed to the next step.
<P>Edit /etc/masonrc on the machine on which Mason will run.  Edit the 
line (or add it if it's not there)
<PRE>
NETWORKS="....."
</PRE>

Inside the quotes, place the following:
<P>
<UL>
<LI>All ip addresses of all interfaces for the firewall, each followed by 
/32 .</LI>
<LI>The ip's of any hosts that shouldn't be treated identically to the
other machines on their respective networks.</LI>
<LI>All networks whose machines the firewall should treat identically.</LI>
</UL>
<P>For example, if the firewall had IP address 172.16.0.1 on network 
172.16.0.0/255.255.0.0 and IP address 12.13.14.15 on network 
12.13.14.0/255.255.255.0, I would add the following line to /etc/networks 
if I was building the firewall on another machine:
<PRE>
NETWORKS="127.0.0.1/32 172.16.0.1/32 12.13.14.15/32 172.16.0.0/16 12.13.14.0/24"
</PRE>
<P>
<H2><A NAME="ss3.6">3.6 Check the configuration file</A>
</H2>

<P>     5 minutes, more if you want to customize.
<P>The configuration choices in /etc/masonrc are ordered so that the 
fields you'll most likely need to edit are at the top and the really 
obscure ones are at the bottom.
<P>There are a few setting you must set for Mason to work at all: 
NEWRULEPOLICY, DEFAULTPOLICY, and FLUSHEDPOLICY.  If you have no 
firewall at all and are creating one for the first time, set each to
"ACCEPT".  During the learning process, you will have no protection at 
all (all packets will be accepted), but note that this is no _less_ 
secure than a system without a firewall.
<P>If you want to make the creation process a little more secure, you 
might consider setting one of these to DENY or REJECT; see the comments 
in /etc/masonrc and mason.txt for more info on this.  In 
particular, if you are building this remotely via a telnet or ssh session, 
note that setting one of the above to something other than ACCEPT before 
Mason knows about the telnet or ssh traffic almost guarantees that you 
will lose the ability to telnet or ssh to the box until it is rebooted 
from the console.
<P>If you're in a rush to try out Mason, feel free to set just these 
three fields and continue.  The more of the settings you set to match 
your needs, the better the firewall will be at matching your security 
policy in the end.
<P>
<P>
<H2><A NAME="ss3.7">3.7 Place any known rules in /var/lib/mason/baserules</A>
</H2>

<P>     No time for most people.
<P>If you know some rules you'll need already, put them in this file.  
For example, if you know you'll need to masquerade all traffic from the 
172.16.0.0/255.255.0.0 network, a sample rule for this is already in 
baserules.
<P>If you don't know of any, no problem.
<P>
<P>
<H2><A NAME="ss3.8">3.8 Run mason-gui-text</A>
</H2>

<P>     This (admittedly rudimentary) interface helps you build the firewall.
Choose "BL" (begin learning) and watch mason start to spit out the 
firewall rules that perfectly match your system's network traffic.
<P>Check that stopwatch - you're building a firewall less than 20 
minutes from when you started!  Give yourself a pat on the back.  Mason 
will do a great deal of the rest in the background while you're doing 
your day to day work.
<P>Do all of the things you want this firewall to support.  If you want
to allow mail to be sent through it, send mail through it.  if you want
to be able to ping it, ping it.  If you want to be able to traceroute 
from it, traceroute from it....  You get the idea.
<P>Mason will present the new rules that match your networks
traffic.  For each rule you'll be given the chance to modify the rule or
commit the rule.  Here are the modify choices:
<P>
<P>
<UL>
<LI>Edit        manually Edit the rule.  You can make any changes
you'd like to the rule before committing it to the permanent ruleset.</LI>
<LI>Jot         Jot a note at the end of the rule.  You can enter a
comment to be placed at the end of the rule.</LI>
<LI>Accept      change policy to Accept and commit.  Without changing
any of the rest of the rule, this changes the rule action to Accept (let
the packet pass) and commits it to the permanent ruleset.</LI>
<LI>Deny        change policy to Deny and commit.  Like the above, but
change the policy to Deny (or drop, as appropriate for the firewall
type; deny and drop discard the packet without sending any error message
back to the original sender).</LI>
<LI>Masq        change policy to Masquerade and commit.  Like the
above, but change the policy to Masquerade.  Masquerading allows
multiple machines to share a single IP address; the more general term is
"many-to-one NAT".</LI>
<LI>Reject      change policy to Reject and commit.  Like the above,
but Reject the packet.  Like Deny/Drop, the packet is discarded, but
Reject sends back an error message to the original sender.</LI>
</UL>
<P>
<P>     Here are the commit choices:
<P>
<UL>
<LI>Postpone    Postpone choice.  If you can't decide what to do with
a rule, or don't have the time to decide, choose postpone.  This saves
it to the "newrules" file, which is not used in the firewall at boot
time.  You'll be asked later about any rule choices you postponed.</LI>
<LI>Throw away  Throw away line.  Forget the rule entirely.</LI>
<LI>Blockedhost make this host a BLOCKEDHOST and delete the rule. 
Good if someone's attacking you and you want to shun them entirely.</LI>
<LI>Noincoming  make this port a NOINCOMING port and delete the rule. 
This is good for ports that should never be allowed in to your network.</LI>
<LI>Commit      Commit to the permanent firewall set.  Commit the rule verbatim.</LI>
<LI>Quit        postpone any remaining rules and Quit.  Oops, time for
lunch!  Use this to postpone the current rule and any others in the
queue.</LI>
</UL>
<P>Once you're happy with a firewall ruleset, stop learning.  From
the main menu you can either Edit the Base ruleset with "EB" or Quit. 
Edit New and Merge Rules are generally not needed and will be removed in
a future version.
<P>Baserules is reserved for rules that you are _sure_ are correct;
only these rules get loaded at boot time if you've enabled the firewall 
(run "ntsysv" in RedHat and enable the firewall service, or make the
appropriate symlink from /etc/rc.d/init.d/firewall to 
/etc/rc.d/rc3.d/S92firewall for other distributions).
<P>The goal is to have a baserules file that has all of the rules
you've approved and an empty newrules file.  Keep in mind that the
firewall that will normally be started at boot time _only_ uses rules
from baserules.
<P>If you need to step away from the firewall for a minute, choose "LC"
(lock console) from the main menu.  Mason will keep on learning and
you'll still see the new rules, but that console will be locked.  You'll
need to enter the root password to return to the main menu.
<P>
<P>
<H2><A NAME="ss3.9">3.9 Tell your boss that you're going to need a few weeks to build this.</A>
</H2>

<P>     Then head off to Bermuda and bask in the sun while Mason does its
learning.
<P>And make sure you have a penguin typing away in your chair so no-one
is suspicious.
<P>*grin*
<P>
<P>
<H2><A NAME="ss3.10">3.10 Implement the final firewall.</A>
</H2>

<P>     Once you've let Mason run in the background for a couple of days,
are confident that you've gotten all of the traffic types this machine
needs to support, have merged all of the rules to baserules, and are
confident they are what you want, lock down the firewall.
<P>In /etc/masonrc, change DEFAULTPOLICY to DENY.  If you want to keep
Mason running to see if any stragglers show up, you'll probably want to
change NEWRULEPOLICY to DENY as well; this has the effect of creating
rules for new packet types, but they are DENY rules now.
<P>Otherwise, just start the standard firewall with:
/etc/rc.d/init.d/firewall start
<P>If you've made the symlink in step 7, the firewall will be started
automatically at boot time.
<P>
<P>
<HR>
<A HREF="mason-4.html"><IMG SRC="next.gif" ALT="Next"></A>
<A HREF="mason-2.html"><IMG SRC="prev.gif" ALT="Previous"></A>
<A HREF="mason.html#toc3"><IMG SRC="toc.gif" ALT="Contents"></A>
</BODY>
</HTML>