Good morning, Rich,
On Thu, 4 Mar 1999, rich wrote:
> Ok, on an *inside*/dept firewall, if you want to get a blueprint
> for lack of a better word, of what is the existing traffic how would
> you suggest going about doing this?
>
> My thoughts -- Install ipfwadm or ipchains will default of accept all
> for I O and F. Then turn on auditing for just about every tcp and udp
> port separately -- Basically a rule for each port # so as to map out
> the traffic patterns on what is going on and then discuss with the
> departments what they have going, why, and present a more realistic
> firewall plan.
>
> ANy other thoughts or methods/tools for this??
Mason *1 does _exactly_ what you describe. It was designed to
create a strict default deny firewall on ipchains or ipfwadm - and does so
much more than just that right now. Mason creates ipchains/ipfwadm rules,
but they're commented at the end of the line so you can know what
protocols are being used.
Here's how:
- download mason-0.11.0 from http://www.pobox.com/~wstearns/mason (rpm or
tar) and install.
- export EDITOR=vi #or whatevery your favourite is.
- set the three policies near the top of /etc/masonrc
- read through the quickstart, or if you're _really_ impatient, just run
mason-gui-text .
- Mason will create the rules for your firewall in
/var/lib/mason/newrules; these will match exactly the traffic flows that
are going through your firewall.
The "gui" is deliberately cheesy and just barely adequate; my goal
is to have a real interface written for X/ncurses. The real work I do is
in creating the rules - that's done by the Mason executable. The gui is
just a wrapper that makes running it a little easier.
If you tried Mason a few months back and weren't impressed,
neither was I! I've done a _lot_ of work on it. With the exception of
the documentation that still needs to be updated to reflect the changes,
it's a functional tool.
I'd be sincerely interested to know what you think of it and would
love to get any feedback on it - good or bad!
Cheers,
- Bill
*1 http://www.pobox.com/~wstearns/mason/
---------------------------------------------------------------------------
"Microsoft's biggest and most dangerous contribution to the
software industry may be the degree to which it has lowered user
expectations."
-- Esther Schindler, OS/2 Magazine
(Courtesy of Bob Tracy - TDS <[EMAIL PROTECTED]>)
--------------------------------------------------------------------------
William Stearns ([EMAIL PROTECTED])
Mason, Buildkernel, and named2hosts are at: http://www.pobox.com/~wstearns
--------------------------------------------------------------------------
_______________________________________________
Masq maillist - [EMAIL PROTECTED]
http://tiffany.indyramp.com/mailman/listinfo/masq
Admin requests can be handled by web (above) or [EMAIL PROTECTED]
