Copyright (c) 1998, 1999 William Stearns <wstearns@pobox.com>
				Mason Quickstart
	This document is designed to help people who are unfamiliar with Mason build a firewall using it.  
A novice user should be able to build a basic firewall using these instructions in 20 minutes. 

#include <disclaimer.h>


1.	Install the Mason package
	Download the latest version to /usr/src
	cd /usr/src<Enter>
	tar -xzvf mason...tar.gz<Enter>
	cd mason...<Enter>
	make install<Enter>	

2.	Prepare /etc/services - probably mostly done!
	Mason depends on a few setup details to be able to provide a firewall that works in the way you intended.  Make
sure that /etc/services includes the server port names for all services you intend to work with, whether those services
are running on the firewall machine or on some other machine.
	For example, if you intend to use ssh to connect to another system, make sure that the line

ssh	22/tcp

is in /etc/services.  Entries that might be missing include:

ftp-data	20/tcp
ssh		22/tcp		#Secure shell
linuxconf	98/tcp
squid		3128/tcp	#Squid proxy cache requests
icp		3130/udp	#Inter Cache Protocol, used in squid

	It is not necessary to include entries for services that you don't use.  Also, do _not_ place entries for _client_
ports in this file; Mason assumes anything referenced in this file is a server port.  For example, even though one of the
client ports used for ssh is 1022/tcp, you would _not_ place this in /etc/services.  Doing so would cause Mason to provide
incorrect rules.


3.	Prepare the routing table and interfaces - probably already done!
	Mason assumes that the routing table and interfaces are set up to match the way the final firewall will run.  If
you're running this on the actual firewall machine and all the interfaces and networks have been configured, proceed to
the next step.
	You'll need to put in IP addresses and networks to match the way the final machine will be configured.  If you
have any IP addresses that are not live, simply create fake ones with commands like these:

/sbin/ifconfig eth0:1 172.16.0.1 up		#Mason only care about the IP address.
/sbin/ifconfig eth0:2 172.18.12.94 up

	Similarly, fake networks can be simulated with:

/sbin/route add -net 172.17.0.0 netmask 255.255.0.0 dev lo	#Mason only cares about the network and netmask.

	You only need to add fake IP's or networks if they are not already present.


4.	Check the configuration file.
	The configuration choices in /etc/masonrc are ordered so that the fields you'll most likely 
need to edit are at the top and the really obscure ones are at the bottom.


5.	Place any known rules in /var/lib/mason/baserules
	If you know some rules you'll need already, put them in this file.  For example, if you know you'll need to
masquerade all traffic from the 172.16.0.0/255.255.0.0, a sample rule for this is already in baserules.
	If you don't know of any, no problem.


6.	Run mason-gui-text
	This (admittedly rudimentary) interface helps you build the firewall.  Choose "BL" (begin learning) and
watch mason start to spit out the firewall rules that perfectly match your system's network traffic.
	The new rules mason provides are put in the "newrules" file.  From time to time you should choose to 
edit this file ("EN" from the main menu).  Delete any rules you don't like (or change their policy to deny or
reject).  Once you're happy with a given rule, add a tag to the end that indicates you're happy with it (I 
happen to use my initials+OK: "WLSOK").  Once you have saved that file and exited your editor, you can 
Merge the Rules ("MR" from the main menu) to the baserules file.  Baserules is reserved for rules that you 
are _sure_ are correct; only these rules get loaded at boot time if you've enabled the firewall (run 
"ntsysv" in RedHat, make the appropriate symling from /etc/rc.d/init.d/firewall to 
/etc/rc.d/rc3.d/S92firewall for other distributions).
	If you need to step away from the firewall for a minute, choose "LC" (lock console) from the main menu.
Mason will keep on learning and you'll still see the new rules, but that console will be locked.  You'll 
need to enter the root password to continue learning.



7.	Clean up
	If you added any new interfaces or networks just to run Mason, they can be removed with commands like the
following:

/sbin/ifconfig eth0:1 172.16.0.1 down
/sbin/ifconfig eth0:2 172.18.12.94 down
/sbin/route del -net 172.17.0.0 netmask 255.255.0.0
