#!/bin/bash

#For instructions on how to set the parameters in this file, refer to 
#mason.txt that came with this package; try looking in 
#/usr/doc/mason-{version}/mason.txt or refer to 
#http://www.pobox.com/~wstearns/mason/  You do not have to make any 
#changes here unless you want to change the defaults.  The defaults 
#are generally used below, but see the documentation for more details.
#Please see mason.txt or http://www.pobox.com/~wstearns/mason/ for 
#more information and copyright information.
#	- William Stearns (wstearns@pobox.com)

# Reminder; this file is for system wide defaults.  
# If you wish to set something for this 
# run only, simply set it on the command line just before calling mason.  For 
# example, putting DYNIF="ppp0" in this file has the 
# same effect on this execution of the program as running 
# DYNIF="ppp0" mason<Enter>.

#	The fields at the top are the ones you're most likely to need to edit.
#	The values in this script can be changed on the fly without
#having to stop and restart Mason; simply make your changes, save the
#file and run "killall -USR1 mason".  Mason will only reread this 
#file when it receives this signal.
#	To have Mason gracefully exit, run "killall -HUP mason".

#-----------------------------------------------------------
# Essential settings - please set these.
#-----------------------------------------------------------
#A quote enclosed, space separated list of interfaces that change 
#IP address from time to time.  Leave as "" if all addresses stay constant.
#Default: no dynamic interfaces.
#DYNIF="ppp0"
#DYNIF=""

#What policy should mason use for upcoming rules?  
#NEWRULEPOLICY="accept"
#NEWRULEPOLICY="reject"
#NEWRULEPOLICY="deny"

#What should the default policy for your firewall be?
#DEFAULTPOLICY="accept"
#DEFAULTPOLICY="reject"
#DEFAULTPOLICY="deny"

#What should the default policy for your system be when the 
#firewall is flushed?
#FLUSHEDPOLICY="accept"
#FLUSHEDPOLICY="reject"
#FLUSHEDPOLICY="deny"

#-----------------------------------------------------------
# Moderate likelihood you may wish to tune these, probably once.
#-----------------------------------------------------------
# "ipchains" = echo ipchains command to STDOUT, "ipfwadm" = echo
# ipfwadm command to STDOUT, "none" = don't echo either.
# Autodetected if not set at all.
#ECHOCOMMAND=""

# What should the IP address be converted to?
# network: the smallest network in the routing table that contains the address.
# host: the hostname or IP address for the machine
# none: leave IP address as is.
# custom: to be implemented.
# dynamic IP's are replaced with ${ifNADDR} solely based on the value of DYNIF
#IPCONV="HOST"
#IPCONV="NETWORK"
#IPCONV="NONE"
#IPCONV="CUSTOM"

#For any IP addresses not converted into a network or otherwise
#specially handled, should we leave them as IP addresses ("NONE"),
#convert them to host names if they're in /etc/hosts or in 
#/var/lib/mason/namecache ("FILESONLY"), or use those files, then try
#a DNS lookup to get the name ("FULL")?
#HOSTLOOKUP="NONE"
#HOSTLOOKUP="FILESONLY"
#HOSTLOOKUP="FULL"

#DOBEEP="YES": beep at user with new rule, "NO": dont
#DOBEEP="YES"

# "yes" = echo dot to STDERR when processing a repeat line,
# "no" = don't.
#HEARTBEAT="YES"

#IRC_BEGIN=6666
#IRC_END=6671

#The maximum number of X, Openwindows, or VNC consoles supported.  The 
#default setting of 6 allows for ports 6000-6005 if any X traffic seen, 
#2000-2005 if any openwindows traffic seen, 5800-5805 for any vnc java 
#traffic, and 5900-5905 if any vnc traffic seen.
#MAXDISPLAYS=6

#If you only connect to a few (say 1-5) servers with a given protocol, 
#add it to the following (SSP=SparseServerProtocols) so that Mason will 
#not generalize it to a network.  
#If only a few _client_ machines connect to a particular service, place
#the port in SCP (Sparse _Client_ Protocols).
#This feature does not differentiate between servers on your network and
#servers in the real world.
#A given protocol can be in both.  These must be numeric.
#Warning: Do not enable this for a given protocol if you run a server of 
#that type on or behind this firewall.  In other words, if you're running 
#your own DNS server on this machine or on some machine behind it, do 
#_not_ make Domain an SSP - leave it commented.
#SSP="${SSP} "
#SSP="${SSP} 25/tcp"										#SMTP: read warning above
SSP="${SSP} 43/tcp"											#Whois
#SSP="${SSP} 53/tcp 53/udp"									#Domain: read warning above
#Do NOT put DNS in SSP if you run a DNS server on the firewall or behind it.
SSP="${SSP} 67/udp"											#BOOTP Server
SSP="${SSP} 69/udp"											#TFTP Server
SSP="${SSP} 88/tcp 88/udp"									#Kerberos: should 749:751/tcp and 749:751/udp be here too?
SSP="${SSP} 110/tcp 143/tcp"								#POP and IMAP Email
SSP="${SSP} 119/tcp"										#NNTP
SSP="${SSP} 123/tcp 123/udp"								#NTP
#Probably could put nfs/sunrpc/mount here
SSP="${SSP} 389/tcp"										#LDAP
SSP="${SSP} 515/tcp"										#Printer/LPD
#SSP="${SSP} 2064/tcp"										#RC5DES
SSP="${SSP} 3128/tcp 3130/udp"										#Squid
SSP="${SSP} 4000/udp"										#ICQ
SSP="${SSP} 7100/tcp"										#xfs
SSP="${SSP} 8765/tcp"										#search.cnn.com's search web server.


#SCP="${SCP} "
SCP="${SCP} 161/udp 162/udp"								#SNMP
SCP="${SCP} 98/tcp"											#Linuxconf

#You probably have a number of internal services to which the outside world
#should not connect.  List them here, space separated.  For the moment, these
#_must_ be number/protocol.  Ruleshell will block access to these coming from
#any interface associated with a 0.0.0.0 route.
#You can create your own or simply uncomment any lines you want to block.  
#Unlike the other operating parameters, Mason will not provide a default.
#Auth (113/tcp) is one you _might_ want to leave open.
#I've included protocols that generally have some security implication
#if open to the outside world.  You can use some, none, or all, and add 
#anything else you don't want the world to see.
#Uncommenting service W below only means that people from the outside 
#world can't get to your W servers; you can still make requests out to
#W servers on the Internet.  
#DNS, NTP, syslog and the Netbios protocols may use the same port number 
#for client and server.  Don't enable these if you want to make outbound 
#_client_ requests to these servers.
#NOINCOMING="${NOINCOMING} "	#put your favorites here...
NOINCOMING="${NOINCOMING} 7/tcp 7/udp"						#Echo
NOINCOMING="${NOINCOMING} 20/tcp 21/tcp"					#FTP
NOINCOMING="${NOINCOMING} 22/tcp"							#SSH
NOINCOMING="${NOINCOMING} 23/tcp"							#Telnet
NOINCOMING="${NOINCOMING} 25/tcp"							#SMTP
#NOINCOMING="${NOINCOMING} 53/tcp 53/udp"					#DNS
NOINCOMING="${NOINCOMING} 69/udp"							#TFTP
NOINCOMING="${NOINCOMING} 79/tcp"							#Finger
NOINCOMING="${NOINCOMING} 80/tcp"							#Web
NOINCOMING="${NOINCOMING} 87/tcp"							#link
NOINCOMING="${NOINCOMING} 98/tcp"							#LinuxConf
NOINCOMING="${NOINCOMING} 110/tcp 143/tcp"					#Pop & IMAP mail
NOINCOMING="${NOINCOMING} 111/tcp 111/udp"					#Sunrpc
#NOINCOMING="${NOINCOMING} 113/tcp"							#Auth
NOINCOMING="${NOINCOMING} 119/tcp"							#NNTP
#NOINCOMING="${NOINCOMING} 123/tcp 123/udp"					#NTP
NOINCOMING="${NOINCOMING} 137/tcp 137/udp 138/tcp 138/udp 139/tcp"	#Netbios
NOINCOMING="${NOINCOMING} 161/udp 162/udp"					#SNMP
NOINCOMING="${NOINCOMING} 512:514/tcp"						#Rexec, Rlogin, Rsh
NOINCOMING="${NOINCOMING} 514/udp"							#syslog
NOINCOMING="${NOINCOMING} 515/tcp"							#LPD
NOINCOMING="${NOINCOMING} 520/udp"							#Route
NOINCOMING="${NOINCOMING} 540/tcp"							#UUCP
#NOINCOMING="${NOINCOMING} 554/tcp 7070/tcp 7071/tcp"		#RealAudio control ports
NOINCOMING="${NOINCOMING} 635/tcp 635/udp"					#NFS Mount
NOINCOMING="${NOINCOMING} 1080/tcp"							#Socks
NOINCOMING="${NOINCOMING} 2000:2010/tcp 6000:6010/tcp "		#X and Openwindows
NOINCOMING="${NOINCOMING} 2049/udp 2049/tcp"				#NFS
NOINCOMING="${NOINCOMING} 3128/tcp 3130/udp"				#Squid
NOINCOMING="${NOINCOMING} 7100/tcp"							#xfs (X Font server)
NOINCOMING="${NOINCOMING} 12345/tcp 12346/tcp"				#Netbus, NT trojan
NOINCOMING="${NOINCOMING} 31337/udp"						#Back Orifice, NT trojan
NOINCOMING="${NOINCOMING} 33434:33524/udp"					#traceroute

#-----------------------------------------------------------
# Filenames
#-----------------------------------------------------------
#Location of runtime changeable files and configuration.
#MASONDIR="/var/lib/mason/"

#This is the configuration file mason uses.  It can be changed while
#Mason is running as long as the SIGUSR1 signal is sent to Mason afterwards.
#It's probably not a good idea to change the value of this variable on the fly.
#Setting this here is of dubious value - this is better set as a 
#shell environment variable before running mason.
#MASONCONF="/etc/masonrc"

#MASONLIB="${MASONDIR}masonlib"

#NAMECACHE _could_ be /etc/hosts, but this was really intended to be a
#local cache for Mason only.  This really should be in some directory like
#/var/lib/mason.
#NAMECACHE="${MASONDIR}morehosts"

#NETCACHE="${MASONDIR}netconvert"

#BASERULEFILE="${MASONDIR}baserules"

#NEWRULEFILE="${MASONDIR}newrules"

#MASONEXE="/usr/bin/mason"

#Default input file to tail (To be implemented)
#PACKETLOGFILE="/var/log/messages"

#-----------------------------------------------------------
# Low likelihood you'll need to change these
#-----------------------------------------------------------
# "ipchains" = actually run the ipchains command, "ipfwadm" = actually
# run the ipfwadm command, "none" = don't run either.  no is useful if you're
# not running Mason as root or are running Mason on some machine other
# than the actual operating firewall.  User can override either by simply
# setting the environment variable ahead of time.
# Autodetected if not set.
#DOCOMMAND=""

#What policy should we use for logging?  If not set, defaults
#to the value of NEWRULEPOLICY
#LOGGINGPOLICY="accept"
#LOGGINGPOLICY="reject"
#LOGGINGPOLICY="deny"

#Because of limitations on the length of rule names, NOLOGSUFFIX cannot
#be longer than 1 character.
#If you change this, change it in ruleshell too.
#NOLOGSUFFIX="N"

# "YES" to debug, anything else = dont
#DEBUG="NO"

#Future: allow non-verbose operation?
#VERBOSE=YES

#PORT_MASQ_BEGIN=61000
#PORT_MASQ_END=65096
#TRACEROUTE_BEGIN=33434
#TRACEROUTE_END=33524		#Fine for up to 30 routers, 3 packets each.

#When ssh(d?) is run as root, the client port starts off at 1023 and 
#works its way down to (512?).  Mason handles this falling range 
#correctly, but this allows you to predeclare that you want to handle 
#up to 1024-LOWSSHPORT connections simultaneously. 
#LOWSSHPORT=1010

#Interfaces on which packets from untrusted systems can come _in_, 
#usually identical to the interfaces with a default route.  (That's
#how this is automatically set if you don't set it explicitly.)
#If you use diald, explicitly set this with _only_ the ppp 
#interface(s); packets never _arrive_ on the slx interface(s).
#INCOMINGINTERFACES=""
#INCOMINGINTERFACES="ppp0"		#Single interface diald

#-----------------------------------------------------------
# To be implemented
#-----------------------------------------------------------

#NASTYHOSTS is a list of machines that should not be able to communicate
#_at_ _all_ with this machine or any machine behind it.  I'd reserve 
#this for machines that have attacked your machines in the past.
#Use space separated machine.name/32 or 1.2.3.4/32 or 1.2.3.0/24 or 
#network/netmask format.
#NASTYHOSTS=""
#LOGNASTYHOSTS="YES"  #Maybe?

#POISONPROTOCOLS=""	#treat these as nastyhost machines from now on and append 
#to masonrc as nastyhosts... :-)  Hmmm.... 


#Default output file (To be implemented)
#FIXME

#Copyleft:
#    Mason interactively creates a Linux packet filtering firewall.
#    Copyright (C) 1998, 1999 William Stearns <wstearns@pobox.com>
#
#    This program is free software; you can redistribute it and/or modify
#    it under the terms of the GNU General Public License as published by
#    the Free Software Foundation; either version 2 of the License, or
#    (at your option) any later version.
#
#    This program is distributed in the hope that it will be useful,
#    but WITHOUT ANY WARRANTY; without even the implied warranty of
#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#    GNU General Public License for more details.
#
#    You should have received a copy of the GNU General Public License
#    along with this program; if not, write to the Free Software
#    Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
#
#    The author can also be reached at:
#        William Stearns
#email:  wstearns@pobox.com              (preferred)
#web:    http://www.pobox.com/~wstearns
#snail:  544 Winchester Place
#        Colchester VT, 05446

