#WARNING - If you are upgrading from a previous version, the uncommented
#lines in your old masonrc have been appended to the end of this file.  

#For instructions on how to set the parameters in this file, refer to 
#mason.txt that came with this package; try looking in 
#/usr/doc/mason-{version}/mason.txt or refer to 
#http://www.pobox.com/~wstearns/mason/  You do not have to make any 
#changes here unless you want to change the defaults.  The defaults 
#are generally used below, but see the documentation for more details.
#Please see mason.txt or http://www.pobox.com/~wstearns/mason/ for 
#more information and copyright information.
#	- William Stearns (wstearns@pobox.com)

# Reminder; this file is for system wide defaults.  
# If you wish to set something for this 
# run only, simply set it on the command line just before calling mason.  For 
# example, putting DYNIF="ppp0" in this file has the 
# same effect on this execution of the program as running 
# DYNIF="ppp0" mason<Enter>.

#	The fields at the top are the ones you're most likely to need to edit.
#	The values in this script can be changed on the fly without
#having to stop and restart Mason; simply make your changes, save the
#file and run "killall -USR1 mason".  Mason will only reread this 
#file when it receives this signal.
#	To have Mason gracefully exit, run "killall -HUP mason".

#-----------------------------------------------------------
# Essential settings - please set these.
#-----------------------------------------------------------
#A quote enclosed, space separated list of interfaces that change 
#IP address from time to time.  Leave as "" if all addresses stay constant.
#Default: no dynamic interfaces.
#DYNIF="ppp0"
#DYNIF=""

#What policy should mason use for upcoming rules?  
#There is no default for this field.  You must choose one of 
#the following.
#NEWRULEPOLICY="accept"
#NEWRULEPOLICY="reject"
#NEWRULEPOLICY="deny"

#What should the default policy for your firewall be?
#There is no default for this field.  You must choose one of 
#the following.
#DEFAULTPOLICY="accept"
#DEFAULTPOLICY="reject"
#DEFAULTPOLICY="deny"

#What should the default policy for your system be when the 
#firewall is flushed?
#There is no default for this field.  You must choose one of 
#the following.
#FLUSHEDPOLICY="accept"
#FLUSHEDPOLICY="reject"
#FLUSHEDPOLICY="deny"

#-----------------------------------------------------------
# Moderate likelihood you may wish to tune these, probably once.
#-----------------------------------------------------------
#BLOCKEDHOSTS is a list of space separated machines that should not 
#be able to communicate _at_ _all_ with this machine or through
#this machine.  I'd reserve this for machines that have 
#attacked your machines in the past.  Use space separated 
#machine.name/32 or 1.2.3.4/32 or 1.2.3.0/24 or network/netmask format.
#This could also very reasonably be used to block all access to/from
#one of your own machines that is particularly sensitive and 
#should only be allowed to communicate with other machines on 
#its own subnet.
#_ALL_ communication of any sort that would normally pass through 
#this firewall is cut off.  _ALL_.
#BLOCKEDHOSTS=""

# "ipchains" = echo ipchains command to STDOUT, "ipfwadm" = echo
# ipfwadm command to STDOUT, "none" = don't echo either.
# Use "cisco" if you want Mason to spit out Cisco IOS access-list rules.
# Autodetected if not set at all.
# This is what you change if you want a different format in the
# output rule file.
#ECHOCOMMAND=""

# What should the IP address be converted to?
# network: the smallest network in the routing table that contains the address.
# host: the hostname or IP address for the machine
# none: leave IP address as is.
# custom: to be implemented.
# dynamic IP's are replaced with ${ifNADDR} solely based on the value of DYNIF
#IPCONV="HOST"
#IPCONV="NETWORK"
#IPCONV="NONE"
#IPCONV="CUSTOM"

#For any IP addresses not converted into a network or otherwise
#specially handled, should we leave them as IP addresses ("NONE"),
#convert them to host names if they're in /etc/hosts
#("FILESONLY"), or use that file, then try
#a DNS lookup to get the name ("FULL")?
#HOSTLOOKUP="NONE"
#HOSTLOOKUP="FILESONLY"
#HOSTLOOKUP="FULL"

#If you want a Mason firewall to automatically masquerade traffic from 
#reserved (rfc1918) addresses, set AUTOMASQIF to a space separated list of 
#interfaces _to_ which this traffic might go.  For example, if eth0 and 
#eth2 are using reserved addresses, and eth3 and ppp0 are your gateways
#to the outside world, you might set:
#AUTOMASQIF="eth3 ppp0"
#Do not simply set this to all your interfaces; that's a security risk.
#If you would rather handle this yourself, set it to "".  If blank or 
#not set at all, Mason will not automatically masquerade packets.
#This setting has not effect if the rule to be added is a REJECT or DENY 
#rule.  This is also not used in Cisco output.
#AUTOMASQIF=""

#DOBEEP="YES": beep at user with new rule, "NO": dont
#DOBEEP="YES"

# "yes" = echo dot to STDERR when processing a repeat line,
# "no" = don't.
#HEARTBEAT="YES"

#IRC_BEGIN=6666
#IRC_END=6671

#The maximum number of X, Openwindows, or VNC consoles supported.  The 
#default setting of 6 allows for ports 6000-6005 if any X traffic seen, 
#2000-2005 if any openwindows traffic seen, 5800-5805 for any vnc java 
#traffic, and 5900-5905 if any vnc traffic seen.
#MAXDISPLAYS=6

#If you only connect to a few (say 1-5) servers with a given protocol, 
#add it to the following (SSP=SparseServerProtocols) so that Mason will 
#not generalize it to a network.  
#If only a few _client_ machines connect to a particular service, place
#the port in SCP (Sparse _Client_ Protocols).
#This feature does not differentiate between servers on your network and
#servers in the real world.
#A given protocol can be in both.  These must be numeric.
#Warning: Do not enable this for a given protocol if you run a server of 
#that type on or behind this firewall.  In other words, if you're running 
#your own DNS server on this machine or on some machine behind it, do 
#_not_ make Domain an SSP - leave it commented.
#DNS, NTP, syslog and the Netbios protocols may use the same port number 
#for client and server.  Declaring any of these as SSP's or SCP's will 
#probably cause _both_ ends to be specific hosts.
#This can occasionally cause problems if the server in question has 
#multiple machines with the same name and different IP addresses - 
#ICQ has this problem.
#SSP="${SSP} "
#SSP="${SSP} 25/tcp"										#SMTP
#SSP="${SSP} 43/tcp"										#Whois
#SSP="${SSP} 53/tcp 53/udp"									#DNS/Domain - read note above
#Do NOT put DNS in SSP if you run a DNS server on the firewall or behind it.
#SSP="${SSP} 67/udp"										#BOOTP Server
#SSP="${SSP} 69/udp"										#TFTP Server
#SSP="${SSP} 88/tcp 88/udp"									#Kerberos: should 749:751/tcp and 749:751/udp be here too?
#SSP="${SSP} 110/tcp 143/tcp"								#POP and IMAP Email
#SSP="${SSP} 111/tcp 111/udp 635/tcp 635/udp 2049/tcp 2049/udp"	#NFS: Sunrpc, Mount, and NFS
#SSP="${SSP} 119/tcp"										#NNTP
#SSP="${SSP} 123/tcp 123/udp"								#NTP - read note above
#SSP="${SSP} 137/tcp 137/udp 138/tcp 138/udp 139/tcp"		#Netbios - read note above
#SSP="${SSP} 370/udp 2432/udp 2433/udp"						#Coda: codaauth2 codasrv codasrv-se
#SSP="${SSP} 389/tcp"										#LDAP
#SSP="${SSP} 514/udp"										#syslog
#SSP="${SSP} 515/tcp"										#Printer/LPD
#SSP="${SSP} 2064/tcp"										#RC5DES
#SSP="${SSP} 3128/tcp 3130/udp"								#Squid
#SSP="${SSP} 4000/udp"										#ICQ
#SSP="${SSP} 7100/tcp"										#xfs
#SSP="${SSP} 8765/tcp"										#search.cnn.com's search web server.
#SSP="${SSP} 12343/tcp"										#stats.hitbox.com

#SCP="${SCP} "
#SCP="${SCP} 161/udp 162/udp"								#SNMP
#SCP="${SCP} 98/tcp"										#Linuxconf

#FIXME - should router advertisement (9/icmp) be an SSP or SCP?

#You probably have a number of internal services to which the outside world
#should not connect.  List them here, space separated.  For the moment, these
#_must_ be number/protocol.  Ruleshell will block access to these coming from
#any interface associated with a 0.0.0.0 route.
#You can create your own or simply uncomment any lines you want to block.  
#Unlike the other operating parameters, Mason will not provide a default.
#Auth (113/tcp) is one you _might_ want to leave open.
#I've included protocols that generally have some security implication
#if open to the outside world.  You can use some, none, or all, and add 
#anything else you don't want the world to see.
#Uncommenting service W below only means that people from the outside 
#world can't get to your W servers; you can still make requests out to
#W servers on the Internet.  
#DNS, NTP, syslog and the Netbios protocols may use the same port number 
#for client and server.  Don't enable these if you want to make outbound 
#_client_ requests to these servers.
#You have the ability to block _entire_ protocols, such as tcp, udp, icmp, 
#gre, anything in /etc/protocols.  Most people should _not_ need to use 
#this.  In particular, you run a sever risk of violating a number of IP
#requirements by blocking all icmp packets.  Also, the only available 
#protocols for ipfwadm are tcp, udp, and icmp.
#NOINCOMING="${NOINCOMING} "	#put your favorites here...
#NOINCOMING="${NOINCOMING} 8/icmp"							#Ping - untested, but should work.
#NOINCOMING="${NOINCOMING} 7/tcp 7/udp"						#Echo
#NOINCOMING="${NOINCOMING} 15/tcp"							#Netstat
#NOINCOMING="${NOINCOMING} 20/tcp 21/tcp"					#FTP
#NOINCOMING="${NOINCOMING} 22/tcp"							#SSH
#NOINCOMING="${NOINCOMING} 22/udp"							#PCAnywhere
#NOINCOMING="${NOINCOMING} 23/tcp"							#Telnet
#NOINCOMING="${NOINCOMING} 25/tcp"							#SMTP
#NOINCOMING="${NOINCOMING} 53/tcp 53/udp"					#DNS (tcp is for zone transfers; large requests too?)
#NOINCOMING="${NOINCOMING} 69/udp"							#TFTP
#NOINCOMING="${NOINCOMING} 79/tcp"							#Finger
#NOINCOMING="${NOINCOMING} 80/tcp"							#Web
#NOINCOMING="${NOINCOMING} 87/tcp"							#link
#NOINCOMING="${NOINCOMING} 98/tcp"							#LinuxConf
#NOINCOMING="${NOINCOMING} 110/tcp 143/tcp"					#Pop & IMAP mail
#NOINCOMING="${NOINCOMING} 111/tcp 111/udp"					#Sunrpc
#NOINCOMING="${NOINCOMING} 113/tcp"							#Auth
#NOINCOMING="${NOINCOMING} 119/tcp"							#NNTP
#NOINCOMING="${NOINCOMING} 123/tcp 123/udp"					#NTP
#NOINCOMING="${NOINCOMING} 135/tcp 137/tcp 137/udp 138/tcp 138/udp 139/tcp 139/udp"	#Netbios
#NOINCOMING="${NOINCOMING} 161/udp 162/udp"					#SNMP
#NOINCOMING="${NOINCOMING} 443/tcp 563/tcp"					#Secure Web
#NOINCOMING="${NOINCOMING} 512:514/tcp"						#Rexec, Rlogin, Rsh
#NOINCOMING="${NOINCOMING} 512/udp"							#biff
#NOINCOMING="${NOINCOMING} 513/udp"							#who
#NOINCOMING="${NOINCOMING} 514/udp"							#syslog
#NOINCOMING="${NOINCOMING} 515/tcp"							#LPD
#NOINCOMING="${NOINCOMING} 520/udp"							#Route
#NOINCOMING="${NOINCOMING} 540/tcp"							#UUCP
#NOINCOMING="${NOINCOMING} 554/tcp 7070/tcp 7071/tcp"		#RealAudio control ports
#NOINCOMING="${NOINCOMING} 635/tcp 635/udp"					#NFS Mount
#NOINCOMING="${NOINCOMING} 1080/tcp"							#Socks
#NOINCOMING="${NOINCOMING} 2000:2010/tcp 6000:6010/tcp "		#X and Openwindows
#NOINCOMING="${NOINCOMING} 2049/udp 2049/tcp"				#NFS
#NOINCOMING="${NOINCOMING} 3128/tcp 3130/udp"				#Squid web cache
#NOINCOMING="${NOINCOMING} 7100/tcp"							#xfs (X Font server)
#NOINCOMING="${NOINCOMING} 8080/tcp"						#Novell Border Manager/FastCache (thanks to Eric Hart for this port number)
#NOINCOMING="${NOINCOMING} 12345/tcp 12346/tcp"				#Netbus, NT trojan
#NOINCOMING="${NOINCOMING} 31337/udp"						#Back Orifice, NT trojan
#NOINCOMING="${NOINCOMING} 33434:33524/udp"					#traceroute
#NOINCOMING="${NOINCOMING} gre"								#_all_ gre protocol packets



#If you do not already have EDITOR set in your environment, you 
#can set it here.  If it's not set in either place, Mason
#will try to find mcedit, pico, vi, jove, nedit, and emacs in
#your path.
#EDITOR="/usr/bin/mcedit -c "		#I like mine in color :-)


#-----------------------------------------------------------
# Filenames
#-----------------------------------------------------------
#Location of runtime changeable files and configuration.
#MASONDIR="/var/lib/mason/"

#This is the configuration file mason uses.  It can be changed while
#Mason is running as long as the SIGUSR1 signal is sent to Mason afterwards.
#It's probably not a good idea to change the value of this variable on the fly.
#Setting this here is of dubious value - this is better set as a 
#shell environment variable before running mason.
#MASONCONF="/etc/masonrc"

#MASONLIB="${MASONDIR}masonlib"

##Note - NAMECACHE support has been disabled.
##THIS SECTION WILL BE DELETED.
##NAMECACHE _could_ be /etc/hosts, but this was really intended to be a
##local cache for Mason only.  This really should be in some directory like
##/var/lib/mason.
##NAMECACHE="${MASONDIR}morehosts"

##Note - Mason no longer supports additional services files.  You need to 
##make sure /etc/services holds all your protocols.
##THIS SECTION WILL BE DELETED.
##These files, in /etc/services format, hold additional ports that may 
##not be defined in the stock /etc/services.  If you would prefer to 
##use just the services in your own /etc/services, uncomment the 
##first line.  Your /etc/services entries always take precedence over 
##any entries in moreservices.  If you choose not to use the moreservices 
##file, make _sure_ your /etc/services has _all_ the protocols you might 
##use.  ssh, portmapper, nfs, and nfs mount services are especially 
##crucial.  Default is just /etc/services.
##SERVICES="/etc/services"
##SERVICES="/etc/services ${MASONDIR}nmap-services ${MASONDIR}moreservices"

#Obsoleted - do not use any more.  If you have made any manual changes to
#this file, please transfer the contents to the NETWORKS variable below.
#NETCACHE="${MASONDIR}netconvert"

#This field replaces the original NETCACHE file.  
#Most people can leave this blank; if null, Mason populates it with the
#correct values.  If you need Mason to use different networks, perhaps 
#to run Mason on another machine, place triplets of the form 
#"network-broadcast/netmask" in this variable, separating them 
#with spaces.  "network/netmask", "network/numbits" and 
#"network-broadcast/numbits" are all legal:
#NETWORKS="172.16.0.0-172.16.255.255/255.255.0.0 192.168.11.0-192.168.11.255/255.255.255.0"
#NETWORKS="12.13.14.15/32 206.99.99.0/24 15.16.17.18/255.255.255.255 1.2.3.0-1.2.3.1/31"
#Please place the most specific entries _first_.  If you have certain machines
#or subnets that need to be treated specially, place them here.  If you 
#set this at all, make sure you include _all_ networks this machine needs 
#to recognize.
#NETWORKS=""

#If you want Mason to add the networks known at run-time to any custom list
#of networks above, uncomment the following line:
#NETWORKS="${NETWORKS} RUNTIME.NETWORKS"

#BASERULEFILE="${MASONDIR}baserules"

#NEWRULEFILE="${MASONDIR}newrules"

#MASONEXE="/usr/bin/mason"

#Default input file to tail.
#PACKETLOGFILE="/var/log/messages"

#-----------------------------------------------------------
# Low likelihood you'll need to change these
#-----------------------------------------------------------
# "ipchains" = actually run the ipchains command, "ipfwadm" = actually
# run the ipfwadm command, "none" = don't run either.  no is useful if you're
# not running Mason as root or are running Mason on some machine other
# than the actual operating firewall.  User can override either by simply
# setting the environment variable ahead of time.
# Autodetected if not set.
#DOCOMMAND=""

#What policy should we use for logging?  If not set, defaults
#to the value of NEWRULEPOLICY
#LOGGINGPOLICY="accept"
#LOGGINGPOLICY="reject"
#LOGGINGPOLICY="deny"

#Because of limitations on the length of rule names, NOLOGSUFFIX cannot
#be longer than 1 character.
#NOLOGSUFFIX="N"

# "YES" to debug, anything else = dont
#DEBUG="NO"

#Future: allow non-verbose operation?
#VERBOSE=YES

#PORT_MASQ_BEGIN=61000
#PORT_MASQ_END=65096
#TRACEROUTE_BEGIN=33434
#TRACEROUTE_END=33524		#Fine for up to 30 routers, 3 packets each, the default for traceroute.

#When ssh(d?) is run as root, the client port starts off at 1023 and 
#works its way down to (512?).  Mason handles this falling range 
#correctly, but this allows you to predeclare that you want to handle 
#up to 1024-LOWSSHPORT connections simultaneously. 
#LOWSSHPORT=1010

#Interfaces on which packets from untrusted systems can come _in_, 
#usually identical to the interfaces with a default route.  (That's
#how this is automatically set if you don't set it explicitly.)
#If you use diald, explicitly set this with _only_ the ppp 
#interface(s); packets never _arrive_ on the slx interface(s).
#You should only have to set this by hand if you use something 
#like diald, a cable modem, or a satellite link where you use 
#different interfaces for outgoing and incoming packets.
#INCOMINGINTERFACES=""
#INCOMINGINTERFACES="ppp0"		#Single interface diald

#-----------------------------------------------------------
# To be implemented
#-----------------------------------------------------------

#LOGBLOCKS="YES"  #Not tested yet, but give it a try if you want all packets 
#from blocked protocols or hosts to be logged.

#POISONPROTOCOLS=""	#treat these as blockedhost machines from now on and append 
#to masonrc as BLOCKEDHOSTS... :-)  Hmmm.... 

##SYSTEMRULEFILE="${MASONDIR}systemrules"
#

#How should mason sort the newrulesfile?
#SORTMODE="NONE" - This isn't implemented right now, and you wouldn't want it.
#SORTMODE="PROTOCOL" #Group by protocol
#SORTMODE="PACKETCOUNTS" #Put rules with the largest number of packets up top.

#MINMARK
#Mason can add mark numbers to ipchains rules.  If you want to use
#the upcoming feature of adding packet counts to rules (in 
#preparation for migrating the rules with the highest counts upwards)
#this must be set to some positive number.  If left blank, no mark will 
#be set.
#In order to make the mark values unique, Mason will raise this above any
#existing mark values.
#MINMARK=32768

#Set to yes to create generic ack rules.  Use at your own risk.  Default NO.
#GENERALIZETCPACK="YES"


#Copyleft:
#    Mason interactively creates a Linux packet filtering firewall.
#    Copyright (C) 1998, 1999 William Stearns <wstearns@pobox.com>
#
#    This program is free software; you can redistribute it and/or modify
#    it under the terms of the GNU General Public License as published by
#    the Free Software Foundation; either version 2 of the License, or
#    (at your option) any later version.
#
#    This program is distributed in the hope that it will be useful,
#    but WITHOUT ANY WARRANTY; without even the implied warranty of
#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#    GNU General Public License for more details.
#
#    You should have received a copy of the GNU General Public License
#    along with this program; if not, write to the Free Software
#    Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
#
#    The author can also be reached at:
#        William Stearns
#email:  wstearns@pobox.com              (preferred)
#web:    http://www.pobox.com/~wstearns
#snail:  544 Winchester Place
#        Colchester VT, 05446

