#WARNING - If you are upgrading from a previous version, the uncommented
#lines in your old masonrc have been appended to the end of this file.  
#Please note that the NAMECACHE, NETCACHE, and SERVICES fields are no longer used.

#For instructions on how to set the parameters in this file, refer to 
#mason.txt that came with this package; try looking in 
#/usr/doc/mason-{version}/mason.txt or refer to 
#http://www.pobox.com/~wstearns/mason/  The only fields you must change
#are in the "Essential Settings" section immediately following.  The other 
#fields may be left unset; Mason will assign defaults for them.  The defaults 
#are generally used below, but see the documentation for more details.
#Please see mason.txt or http://www.pobox.com/~wstearns/mason/ for 
#more information and copyright information.
#	- William Stearns (wstearns@pobox.com)

# Reminder; this file is for system wide defaults.  
# If you wish to set something for this 
# run only, simply set it on the command line just before calling mason.  For 
# example, putting DYNIF="ppp0" in this file has the 
# same effect on this execution of the program as running 
# DYNIF="ppp0" mason<Enter>.  If a field is set on the command line and
# in this file, this file wins - sorry.

#	The fields at the top are the ones you're most likely to need to edit.
#	The values in this script can be changed on the fly without
#having to stop and restart Mason; simply make your changes, save the
#file and run "killall -USR1 mason".  Mason will only reread this 
#file when it receives this signal.
#	To have Mason gracefully exit, run "killall -HUP mason".

#-----------------------------------------------------------
# Essential settings - please set these.
#-----------------------------------------------------------
#A quote enclosed, space separated list of interfaces that change 
#IP address from time to time.  Leave as "" if all addresses stay constant.
#See DYNIFMODE if you want to fine tune how Mason handles these.
#Default: no dynamic interfaces, all have static addresses.
#DYNIF="ppp0"
#DYNIF=""

#What policy should mason use for upcoming rules?  
#There is no default for this field.  You must choose one of 
#the following.
#NEWRULEPOLICY="accept"
#NEWRULEPOLICY="reject"
#NEWRULEPOLICY="deny"

#What should the default policy for your firewall be?
#There is no default for this field.  You must choose one of 
#the following.
#DEFAULTPOLICY="accept"
#DEFAULTPOLICY="reject"
#DEFAULTPOLICY="deny"

#What should the default policy for your system be when the 
#firewall is flushed?
#There is no default for this field.  You must choose one of 
#the following.
#FLUSHEDPOLICY="accept"
#FLUSHEDPOLICY="reject"
#FLUSHEDPOLICY="deny"

#-----------------------------------------------------------
# Moderate likelihood you may wish to tune these, probably once.
#-----------------------------------------------------------
#DYNIFMODE Sets what Mason does with interfaces that change IP 
#address from time to time, such as network interfaces that use
#dhcp or dial up links.
#If set to SMALLESTRANGE, Mason attempts to calculate the smallest
#IP network that contains all IP addresses seen so far for that 
#interface.  Probably the best choice.  Actually, the best choice
#is to not use dynamic addresses on a firewall, but sometimes it's 
#unavoidable.
#SPECIFICIP instructs Mason to only allow a single IP for each 
#interface.  This is the most secure but also requires you to 
#restart the firewall whenever the IP address changes.
#None of the above choices is permanent; there is a setting at the
#top of the firewall rule file that can be changed at any time.
# Default: SMALLESTRANGE
#DYNIFMODE="SMALLESTRANGE"
#DYNIFMODE="SPECIFICIP"


#BLOCKEDHOSTS is a list of space separated machines that should not 
#be able to communicate _at_ _all_ with this machine or through
#this machine.  I'd reserve this for machines that have 
#attacked your machines in the past.  Use space separated 
#machine.name/32 or 1.2.3.4/32 or 1.2.3.0/24 or network/netmask format.
#This could also very reasonably be used to block all access to/from
#one of your own machines that is particularly sensitive and 
#should only be allowed to communicate with other machines on 
#its own subnet.
#_ALL_ communication of any sort that would normally pass in, out or 
#through this firewall is cut off.  _ALL_.
# Default: Empty
#BLOCKEDHOSTS=""

# "ipchains" = echo ipchains command to STDOUT, "ipfwadm" = echo
# ipfwadm command to STDOUT, "none" = don't echo either.
# Use "cisco" if you want Mason to spit out Cisco IOS access-list rules.
# Autodetected if not set at all.
# This is what you change if you want a different format in the
# output rule file.
# Default: Whatever this kernel supports.
#ECHOCOMMAND=""

# What should the IP address be converted to?
# network: the smallest network in the routing table that contains the address.
# host: the hostname or IP address for the machine
# none: leave IP address as is.
# custom: to be implemented.
# dynamic IP's are replaced with ${ifNADDR} solely based on the value of DYNIF
# Default: NETWORK
#IPCONV="HOST"
#IPCONV="NETWORK"
#IPCONV="NONE"
#IPCONV="CUSTOM"

#For any IP addresses not converted into a network or otherwise
#specially handled, should we leave them as IP addresses ("NONE"),
#convert them to host names if they're in /etc/hosts
#("FILESONLY"), or use that file, then try
#a DNS lookup to get the name ("FULL")?
# Default: FULL
#HOSTLOOKUP="NONE"
#HOSTLOOKUP="FILESONLY"
#HOSTLOOKUP="FULL"

#If you want a Mason firewall to automatically masquerade traffic from 
#reserved (rfc1918) addresses, set AUTOMASQIF to a space separated list of 
#interfaces _to_ which this traffic might go.  For example, if eth0 and 
#eth2 are using reserved addresses, and eth3 and ppp0 are your gateways
#to the outside world, you might set:
#AUTOMASQIF="eth3 ppp0"
#Do not simply set this to all your interfaces; that's a security risk.
#If you would rather handle this yourself, set it to "".  If blank or 
#not set at all, Mason will not automatically masquerade packets.
#This setting has not effect if the rule to be added is a REJECT or DENY 
#rule.  This is also not used in Cisco output.
#Don't forget to include any virtual interfaces such as shaperX (or 
#ipsecX or cipeX?)
# Default: if unset, Mason will leave empty.
#AUTOMASQIF=""

#DOBEEP="YES": beep at user with each new rule, "NO": dont
# Default: YES
#DOBEEP="YES"

# "yes" = echo dot to STDERR when processing a repeat line,
# "no" = don't.
# Default: YES
#HEARTBEAT="YES"

#Use ANSI escape sequences to enhance display.  Default YES.
#Set this to no if your terminal doesn't support ANSI colors, etc.
#USEANSI="YES"

# The range of ports considered to be IRC server ports.
# Default: 6666 to 6671
#IRC_BEGIN=6666
#IRC_END=6671

#The maximum number of X, Openwindows, or VNC consoles supported.  The 
#default setting of 6 allows for ports 6000-6005 if any X traffic seen, 
#2000-2005 if any openwindows traffic seen, 5800-5805 for any vnc java 
#traffic, and 5900-5905 if any vnc traffic seen.
# Default: 6
#MAXDISPLAYS=6

#If you only connect to a few (say 1-5) servers with a given protocol, 
#add it to the following (SSP=Sparse Server Protocols) so that Mason will 
#not generalize it to a network.
#Example: When you get your mail, you probably only connect to a few 
#pop-3 or imap servers to get it.  When you do a whois lookup, you 
#probably only connect to a single machine.
#If only a few _client_ machines connect to a particular service, place
#the port in SCP (Sparse _Client_ Protocols).
#This feature does not differentiate between servers on your network and
#servers in the real world.
#A given protocol can be in both.  These must be numeric.
#Warning:  If you're running your own DNS server on this machine or on 
#some machine behind it, do _not_ make Domain an SSP - leave it commented.
#DNS, NTP, syslog and the Netbios protocols may use the same port number 
#for client and server.  Declaring any of these as SSP's or SCP's will 
#probably cause _both_ ends to be specific hosts.
#This can occasionally cause problems if the server in question has 
#multiple machines with the same name and different IP addresses - 
#ICQ has this problem.
# Default: both empty.
#SSP="${SSP} "
#SSP="${SSP} 9/icmp"										#Router advertisement (probably should be both an SCP and SSP)
#SSP="${SSP} 25/tcp"										#SMTP
#SSP="${SSP} 43/tcp"										#Whois
#SSP="${SSP} 53/tcp 53/udp"									#DNS/Domain - read note above
#Do NOT put DNS in SSP if you run a DNS server on the firewall or behind it.
#SSP="${SSP} 67/udp"										#BOOTP Server
#SSP="${SSP} 69/udp"										#TFTP Server
#SSP="${SSP} 88/tcp 88/udp"									#Kerberos: should 749:751/tcp and 749:751/udp be here too?
#SSP="${SSP} 109/tcp 110/tcp 143/tcp"						#POP and IMAP Email
#SSP="${SSP} 111/tcp 111/udp 635/tcp 635/udp 2049/tcp 2049/udp"	#NFS: Sunrpc, Mount, and NFS
#SSP="${SSP} 119/tcp"										#NNTP
#SSP="${SSP} 123/tcp 123/udp"								#NTP - read note above
#SSP="${SSP} 135/tcp 137/tcp 137/udp 138/tcp 138/udp 139/tcp 139/udp"		#Netbios - read note above
#SSP="${SSP} 370/udp 2432/udp 2433/udp"						#Coda: codaauth2 codasrv codasrv-se
#SSP="${SSP} 389/tcp"										#LDAP
#SSP="${SSP} 514/udp"										#syslog
#SSP="${SSP} 515/tcp"										#Printer/LPD
#SSP="${SSP} 2064/tcp"										#RC5DES
#SSP="${SSP} 3128/tcp 3130/udp"								#Squid
#SSP="${SSP} 4000/udp"										#ICQ
#SSP="${SSP} 7100/tcp"										#xfs
#SSP="${SSP} 8080/tcp"										#Novell Border Manager/FastCache (thanks to Eric Hart for this port number)
#SSP="${SSP} 8765/tcp"										#search.cnn.com's search web server.
#SSP="${SSP} 12343/tcp"										#stats.hitbox.com

#SCP="${SCP} "
#SCP="${SSP} 9/icmp"										#Router advertisement (probably should be both an SCP and SSP)
#SCP="${SCP} 161/udp 162/udp"								#SNMP
#SCP="${SCP} 98/tcp"										#Linuxconf

#You probably have a number of internal services to which the outside world
#should not connect.  List them here, space separated.  For the moment, these
#_must_ be number/protocol.  Ruleshell will block access to these coming from
#any interface associated with a 0.0.0.0 route.
#You can create your own or simply uncomment any lines you want to block.  
#Unlike the other operating parameters, Mason will not provide a default.
#Auth (113/tcp) is one you _might_ want to leave open (i.e., leave 
#_commented_ below).
#I've included protocols that generally have some security implication
#if open to the outside world.  You can use some, none, or all, and add 
#anything else you don't want the world to see.
#Uncommenting service W below only means that people from the outside 
#world can't get to your W servers; you can still make requests out to
#W servers on the Internet.  
#DNS, NTP, syslog and the Netbios protocols may use the same port number 
#for client and server.  Leave these lines commented if you want to make 
#outbound _client_ requests to these servers.
#You have the ability to block _entire_ protocols, such as tcp, udp, icmp, 
#gre, anything in /etc/protocols.  Most people should _not_ need to use 
#this.  In particular, you run a severe risk of violating a number of IP
#requirements by blocking all icmp packets.  Also, the only available 
#protocols for ipfwadm are tcp, udp, and icmp.
# Default: empty.

#NOINCOMING="${NOINCOMING} "	#put your favorites here...
#NOINCOMING="${NOINCOMING} 0/tcp 0/udp"						#Probably a good one to block
#NOINCOMING="${NOINCOMING} 7/tcp 7/udp"						#Echo
#NOINCOMING="${NOINCOMING} 8/icmp"							#Ping request
#NOINCOMING="${NOINCOMING} 15/tcp"							#Netstat
#NOINCOMING="${NOINCOMING} 20/tcp 21/tcp"					#FTP (FTP daemons can have buffer overflows)
#NOINCOMING="${NOINCOMING} 22/tcp"							#SSH
#NOINCOMING="${NOINCOMING} 22/udp 5631/tcp 5632/udp"		#PCAnywhere
#NOINCOMING="${NOINCOMING} 23/tcp"							#Telnet
#NOINCOMING="${NOINCOMING} 25/tcp"							#SMTP
#NOINCOMING="${NOINCOMING} 53/tcp 53/udp"					#DNS (tcp is for zone transfers; large requests too?) (BIND 53/tcp can have buffer overflows)
#NOINCOMING="${NOINCOMING} 67/udp"							#BOOTP Server
#NOINCOMING="${NOINCOMING} 69/udp"							#TFTP
#NOINCOMING="${NOINCOMING} 79/tcp"							#Finger
#NOINCOMING="${NOINCOMING} 80/tcp"							#Web (Many attacks
#NOINCOMING="${NOINCOMING} 87/tcp"							#link
#NOINCOMING="${NOINCOMING} 98/tcp"							#LinuxConf
#NOINCOMING="${NOINCOMING} 109/tcp 110/tcp 143/tcp"			#Pop & IMAP mail (QPOP and IMAP may have buffer overflows)
#NOINCOMING="${NOINCOMING} 111/tcp 111/udp"					#Sunrpc
#NOINCOMING="${NOINCOMING} 113/tcp"							#Auth (NOTE: if enabled here, this protocol will be REJECTed rather than DENY'd)
#NOINCOMING="${NOINCOMING} 119/tcp"							#NNTP / Usenet news
#NOINCOMING="${NOINCOMING} 123/tcp 123/udp"					#NTP
#NOINCOMING="${NOINCOMING} 135/tcp 137/tcp 137/udp 138/tcp 138/udp 139/tcp 139/udp"	#Netbios (137/udp and 139/tcp may be involved in attacks)
#NOINCOMING="${NOINCOMING} 161/udp 162/udp"					#SNMP
#NOINCOMING="${NOINCOMING} 177/tcp 177/udp"					#XDM X login (also used in GDM)
#NOINCOMING="${NOINCOMING} 443/tcp 563/tcp"					#Secure Web
#NOINCOMING="${NOINCOMING} 512:514/tcp"						#Rexec, Rlogin, Rsh
#NOINCOMING="${NOINCOMING} 512/udp"							#biff
#NOINCOMING="${NOINCOMING} 513/udp"							#who
#NOINCOMING="${NOINCOMING} 514/udp"							#syslog
#NOINCOMING="${NOINCOMING} 515/tcp"							#LPD
#NOINCOMING="${NOINCOMING} 520/udp"							#Route / RIP
#NOINCOMING="${NOINCOMING} 540/tcp"							#UUCP
#NOINCOMING="${NOINCOMING} 554/tcp 7070/tcp 7071/tcp"		#RealAudio control ports
#NOINCOMING="${NOINCOMING} 635/tcp 635/udp"					#NFS Mount
#NOINCOMING="${NOINCOMING} 901/tcp"							#Swat (samba configuration)
#NOINCOMING="${NOINCOMING} 1080/tcp"						#Socks
#NOINCOMING="${NOINCOMING} 1080/tcp 1080/udp 8080/tcp 8080/udp"	#WinGate
#NOINCOMING="${NOINCOMING} 1433/tcp 3306/tcp 5432/tcp"		#SQL (mssql, mysql, postgresql)
#NOINCOMING="${NOINCOMING} 2000:2010/tcp 6000:6010/tcp "	#X and Openwindows
#NOINCOMING="${NOINCOMING} 2049/udp 2049/tcp"				#NFS
#NOINCOMING="${NOINCOMING} 3128/tcp 3130/udp"				#Squid web cache
#NOINCOMING="${NOINCOMING} 5135/udp"						#SGI (only, probably) object server
#NOINCOMING="${NOINCOMING} 5232/tcp"						#SGI (only, probably) distributed graphics
#NOINCOMING="${NOINCOMING} 7100/tcp"						#xfs (X Font server)
#NOINCOMING="${NOINCOMING} 8080/tcp"						#Novell Border Manager/FastCache (thanks to Eric Hart for this port number)
#NOINCOMING="${NOINCOMING} 32771/tcp 32771/udp"				#Sun RPC High port
#NOINCOMING="${NOINCOMING} 33434:33524/udp"					#traceroute


#NOINCOMING="${NOINCOMING} /tcp"						#



#NOINCOMING="${NOINCOMING} gre"								#_all_ gre protocol packets - just an example

#Backdoors
#NOINCOMING="${NOINCOMING} 31/udp 456/udp"					#Hacker's Paradise Backdoor
#NOINCOMING="${NOINCOMING} 555/tcp 555/udp"					#iNi Killer/Phase Zero/Stealth Spy Backdoor
#NOINCOMING="${NOINCOMING} 666/udp"							#Satanz Backdoor
#NOINCOMING="${NOINCOMING} 1001/udp"						#Silencer, WebEX Backdoors
#NOINCOMING="${NOINCOMING} 1170/udp"						#Psyber Stream Backdoor
#NOINCOMING="${NOINCOMING} 1234/udp"						#Ultors Trojan Backdoor
#NOINCOMING="${NOINCOMING} 1243/tcp 6776/tcp 27374/tcp"				#SubSeven Backdoor
#NOINCOMING="${NOINCOMING} 1245/udp"						#VooDoo Doll Backdoor
#NOINCOMING="${NOINCOMING} 1492/udp"						#FTP99cmp Backdoor
#NOINCOMING="${NOINCOMING} 1524/tcp 27665/tcp 27444/udp 31335/udp"	#Trin00 (thanks to pmfirewall)
#NOINCOMING="${NOINCOMING} 1600/udp"						#Shivka-Burka
#NOINCOMING="${NOINCOMING} 1807/udp"						#Spy Sender Backdoor
#NOINCOMING="${NOINCOMING} 1981/udp"						#ShockRave
#NOINCOMING="${NOINCOMING} 1999/udp"						#Back Door Backdoor
#NOINCOMING="${NOINCOMING} 2001/udp"						#Trojan Cow Backdoor
#NOINCOMING="${NOINCOMING} 2023/udp"						#Ripper Pro Backdoor
#NOINCOMING="${NOINCOMING} 2115/udp"						#Bugs Backdoor
#NOINCOMING="${NOINCOMING} 2140/udp"						#Deep Throat, The Invasor Backdoor
#NOINCOMING="${NOINCOMING} 2565/udp"						#Striker Backdoor
#NOINCOMING="${NOINCOMING} 2801/udp"						#Phineas Phucker Backdoor.  Hey, I did _not_ name them.
#NOINCOMING="${NOINCOMING} 2989/udp"						#Rat backdoor
#NOINCOMING="${NOINCOMING} 3024/udp"						#WinCrash Backdoor
#NOINCOMING="${NOINCOMING} 3150/udp"						#Deep Throat/Invasor Backdoor
#NOINCOMING="${NOINCOMING} 3700/udp"						#Portal Of Doom Backdoor
#NOINCOMING="${NOINCOMING} 4092/udp"						#WinCrash Backdoor
#NOINCOMING="${NOINCOMING} 4950/udp"						#ICQ Trojan Backdoor
#NOINCOMING="${NOINCOMING} 5000/udp 5001/udp 50505/udp"		#Sockets De Troie Backdoor
#NOINCOMING="${NOINCOMING} 5321/udp"						#FireHotcker Backdoor
#NOINCOMING="${NOINCOMING} 5400:5402/udp"					#Blade Runner Backdoor
#NOINCOMING="${NOINCOMING} 5569/udp"						#Robo-Hack Backdoor
#NOINCOMING="${NOINCOMING} 5742/udp"						#WinCrash Backdoor
#NOINCOMING="${NOINCOMING} 6670/udp"						#Deep Throat Backdoor
#NOINCOMING="${NOINCOMING} 6711/udp"						#Deep Throat/SubSeven Backdoor
#NOINCOMING="${NOINCOMING} 6969/tcp"						#GateCrasher Backdoor
#NOINCOMING="${NOINCOMING} 7000/udp"						#Remote Grab Backdoor
#NOINCOMING="${NOINCOMING} 7300:7308/udp"					#Net Monitor Backdoor
#NOINCOMING="${NOINCOMING} 7789/udp"						#ICKiller Backdoor
#NOINCOMING="${NOINCOMING} 9872/udp 10067/udp 10167/udp"	#Portal Of Doom Backdoor
#NOINCOMING="${NOINCOMING} 10752/tcp"						#Linux mountd backdoor
#NOINCOMING="${NOINCOMING} 11223/udp"						#Progenic Trojan Backdoor
#NOINCOMING="${NOINCOMING} 12223/udp"						#Hack99-Keylogger Backdoor
#NOINCOMING="${NOINCOMING} 12345:12346/tcp"					#Netbus/GabanBus NT trojan/Backdoor	#udp too? (from pmfirewall)
#NOINCOMING="${NOINCOMING} 12361:12362/tcp"					#Whack-a-mole Backdoor
#NOINCOMING="${NOINCOMING} 16969/udp"						#Portal Of Doom/Priority Backdoor
#NOINCOMING="${NOINCOMING} 20000:20001/udp"					#Millenium Backdoor
#NOINCOMING="${NOINCOMING} 20034/udp"						#NetBus PRO Backdoor
#NOINCOMING="${NOINCOMING} 21544/udp 21554/tcp"				#Girlfriend Backdoor
#NOINCOMING="${NOINCOMING} 22222/udp"						#Prosiak Backdoor
#NOINCOMING="${NOINCOMING} 23456/tcp"						#EvilFTP Backdoor
#NOINCOMING="${NOINCOMING} 26274/udp"						#Delta Backdoor
#NOINCOMING="${NOINCOMING} 30100/tcp"						#NetSphere Backdoor
#NOINCOMING="${NOINCOMING} 30102/tcp"						#NetSphere FTP Backdoor
#NOINCOMING="${NOINCOMING} 31337/tcp"						#BIND Shell Backdoor
#NOINCOMING="${NOINCOMING} 31337:31338/udp"					#Back Orifice/Deep Back Orifice Backdoor
#NOINCOMING="${NOINCOMING} 31339/udp"						#NetSpy Backdoor
#NOINCOMING="${NOINCOMING} 31666/udp"						#BOWhack Backdoor
#NOINCOMING="${NOINCOMING} 28431/udp 31785/tcp 31787/tcp 31789/udp 31791/udp" #Hackattack, trojan
#NOINCOMING="${NOINCOMING} 33333/udp"						#Prosiak Backdoor
#NOINCOMING="${NOINCOMING} 34324/udp"						#Big Gluck/TelnetSrv Backdoor
#NOINCOMING="${NOINCOMING} 40412/udp"						#The Spy Backdoor
#NOINCOMING="${NOINCOMING} 40421:40423/udp 40426/udp"		#Masters Paradise Backdoor
#NOINCOMING="${NOINCOMING} 47262/udp"						#Delta Backdoor
#NOINCOMING="${NOINCOMING} 50776/udp"						#Fore Backdoor
#NOINCOMING="${NOINCOMING} 53001/udp"						#Remote Win Shutdown Backdoor
#NOINCOMING="${NOINCOMING} 61446/udp"						#TeleCommando Backdoor
#NOINCOMING="${NOINCOMING} 65000/udp"						#Devil

#Blackhole:
#If you want your machine to disappear - be basically undetectable from
#other hosts on the Internet - the following NOINCOMING and NOOUTGOING 
#lines  _might_ be a good starting point onto which you can add the 
#standard services you don't want to be seen.  All of the following 
#are listed above, this is just here for convenience.
#NOINCOMING="${NOINCOMING} 0/tcp 0/udp 7/tcp 7/udp 8/icmp 15/tcp 33434:33524/udp"
#NOOUTGOING="${NOOUTGOING} 0/icmp 3.0/icmp 3.1/icmp 3.2/icmp 3.3/icmp 3.5/icmp 3.6/icmp 3.7/icmp 3.8/icmp 3.9/icmp 3.10/icmp 3.11/icmp 3.12/icmp 3.13/icmp 3.14/icmp 3.15/icmp 9/icmp 11.0/icmp 11/icmp 18/icmp"

#NoTrojan:
#If you want all of the backdoors, uncomment the following line (all of the 
#following are listed above, this is just here for convenience): 
#NOINCOMING="${NOINCOMING} 31/udp 456/udp 555/tcp 555/udp 666/udp 1001/udp 1170/udp 1234/udp 1243/tcp 6776/tcp 1245/udp 1492/udp 1524/tcp 27665/tcp 27444/udp 31335/udp 1600/udp 1807/udp 1981/udp 1999/udp 2001/udp 2023/udp 2115/udp 2140/udp 2565/udp 2801/udp 2989/udp 3024/udp 3150/udp 3700/udp 4092/udp 4950/udp 5000/udp 5001/udp 50505/udp 5321/udp 5400:5402/udp 5569/udp 5742/udp 6670/udp 6711/udp 6969/tcp 7000/udp 7300:7308/udp 7789/udp 9872/udp 10067/udp 10167/udp 10752/tcp 11223/udp 12223/udp 12345:12346/tcp 12361:12362/tcp 16969/udp 20000:20001/udp 20034/udp 21544/udp 21554/tcp 22222/udp 23456/tcp 26274/udp 30100/tcp 30102/tcp 31337/tcp 31337:31338/udp 31339/udp 31666/udp 28431/udp 31785/tcp 31787/tcp 31789/udp 31791/udp 33333/udp 34324/udp 40412/udp 40421:40423/udp 40426/udp 47262/udp 50776/udp 53001/udp 61446/udp 65000/udp"


#You may also have a few protocols that you definitely want to
#stop from ever leaving your firewall.  For the moment, these
#can only be icmp_typecode/icmp or icmp_typecode.icmp_subcode/icmp .
#Not tcp, not udp, just icmp.  ipfwadm cannot handle icmp subcodes - don't use them.
#Uncommenting one of more of the following makes it harder for 
#someone to map your network - but not impossible.  Uncommenting
#them _may_ also contribute to delays in normal communications.
#NOOUTGOING="${NOOUTGOING} 0/icmp"							#Ping reply
#NOOUTGOING="${NOOUTGOING} 3.0/icmp"						#network-unreachable
#NOOUTGOING="${NOOUTGOING} 3.1/icmp"						#host-unreachable (This may also be used for path mtu discovery?)
#NOOUTGOING="${NOOUTGOING} 3.2/icmp"						#protocol-unreachable
#NOOUTGOING="${NOOUTGOING} 3.3/icmp"						#port-unreachable
#3.4/icmp (Fragmentation needed and DF set) is _not_ a good one to block - it screws up path MTU discovery.
#NOOUTGOING="${NOOUTGOING} 3.5/icmp"						#source-route-failed
#NOOUTGOING="${NOOUTGOING} 3.6/icmp"						#network-unknown
#NOOUTGOING="${NOOUTGOING} 3.7/icmp"						#host-unknown
#NOOUTGOING="${NOOUTGOING} 3.8/icmp"						#source-host-isolated
#NOOUTGOING="${NOOUTGOING} 3.9/icmp"						#network-prohibited
#NOOUTGOING="${NOOUTGOING} 3.10/icmp"						#host-prohibited
#NOOUTGOING="${NOOUTGOING} 3.11/icmp"						#TOS-network-unreachable
#NOOUTGOING="${NOOUTGOING} 3.12/icmp"						#TOS-host-unreachable
#NOOUTGOING="${NOOUTGOING} 3.13/icmp"						#communication-prohibited
#NOOUTGOING="${NOOUTGOING} 3.14/icmp"						#host-precedence-violation
#NOOUTGOING="${NOOUTGOING} 3.15/icmp"						#precedence-cutoff
#NOOUTGOING="${NOOUTGOING} 9/icmp"							#Router advertisement
#NOOUTGOING="${NOOUTGOING} 11.0/icmp 11/icmp"				#Time exceeded
#NOOUTGOING="${NOOUTGOING} 18/icmp"							#Address mask reply



#If you do not already have EDITOR set in your environment, you 
#can set it here.  If it's not set in either place, Mason
#will try to find mcedit, pico, vi, jove, nedit, and emacs in
#your path.
# Default: try to find some of the standard ones.
#EDITOR="/usr/bin/mcedit -c "		#I like mine in color :-)

#The number of characters to display on a line.  Leave enough space for a
#space at the end of the line.
# Default: 72
#LINELENGTH=72

#How should mason sort the newrulesfile?
# Default: PROTOCOL
#SORTMODE="NONE" - This isn't implemented right now, and you wouldn't want it.
#SORTMODE="PROTOCOL" #Group by protocol
#SORTMODE="PACKETCOUNTS" #Put rules with the largest number of packets up top.

#MINMARK
#Mason can add mark numbers to ipchains rules.  If you want to use
#the feature of adding packet counts to rules (for migrating the rules 
#with the highest counts upwards) this must be set to some positive number.  
#In order to make the mark values unique, Mason will raise this above any
#existing mark values.
# Default: do not set marks.
#MINMARK=32768

#When set to YES, Mason will generalize both the source and the 
#destination ports to 61000-65096, 1024-65535, or 0-1023, but only if the 
#packet is a tcp ack packet.  This basically eliminates the ack rules 
#by reducing them to just a few, rather than one for each protocol.
#My best understanding is that this generalization:
# - will reduce the number of rules in your firewall by about 30%.
# - will _probably_ _not_ increase the risk that someone can _make_ _a_
#_connection_ that they could not have made before.
# - _will_ increase the risk that someone can map your internal network 
#ports even if they can't make connections to them.
#Use at your own risk.  Default NO.
#GENERALIZETCPACK="YES"


#-----------------------------------------------------------
# Filenames
#-----------------------------------------------------------
#Location of runtime changeable files and configuration.
#Make sure you include the trailing slash.
# Default: "/var/lib/mason/"
#MASONDIR="/var/lib/mason/"

#This is the configuration file mason uses.  It can be changed while
#Mason is running as long as the SIGUSR1 signal is sent to Mason afterwards.
#It's probably not a good idea to change the value of this variable on the fly.
#Setting this here is of dubious value - this is better set as a 
#shell environment variable before running mason.
# Default: /etc/masonrc
#MASONCONF="/etc/masonrc"

#The support library of routines used by mason and mason-gui-text
# Default: "/var/lib/mason/masonlib"
#MASONLIB="${MASONDIR}masonlib"


#This field replaces the original NETCACHE file.  
#Most people can leave this blank; if null, Mason populates it with the
#correct values.  If you need Mason to use different networks, perhaps 
#to run Mason on another machine, place triplets of the form 
#"network-broadcast/netmask" in this variable, separating them 
#with spaces.  "network/netmask", "network/numbits" and 
#"network-broadcast/numbits" are all legal:
#NETWORKS="172.16.0.0-172.16.255.255/255.255.0.0 192.168.11.0-192.168.11.255/255.255.255.0"
#NETWORKS="12.13.14.15/32 206.99.99.0/24 15.16.17.18/255.255.255.255 1.2.3.0-1.2.3.1/31"
#Please place the most specific entries _first_.  If you have certain machines
#or subnets that need to be treated specially, place them here.  If you 
#set this at all, make sure you include _all_ networks this machine needs 
#to recognize.
# Default: Mason automatically detects your existing network structure
#NETWORKS=""

#If you want Mason to add the networks known at run-time to any custom list
#of networks above, uncomment the following line:
#NETWORKS="${NETWORKS} RUNTIME.NETWORKS"

#BASERULEFILE="${MASONDIR}baserules"

#NEWRULEFILE="${MASONDIR}newrules"

#PACKETCOUNTFILE="${MASONDIR}packetcounts"

#All of the following are autodetected if not set.
#If you want to get an explicit listing of exactly what rules are used to 
#create the boot time firewall, try:
#IPCHAINSBIN="echo /sbin/ipchains"
#and run 
#/etc/rc.d/init.d/firewall start
#
#MASONEXE="/usr/bin/mason"
#MASONDECIDE="/usr/bin/mason-decide"
#IPFWADMBIN="/sbin/ipfwadm"
#IPCHAINSBIN="/sbin/ipchains"
#Note - ipnatctl is not used any more.
#IPNATCTLBIN="/usr/local/bin/ipnatctl"
#IPTABLESBIN="/usr/local/bin/iptables"

#MASONPIDFILE="/var/run/mason.pid"

#Default input file to tail.
#PACKETLOGFILE="/var/log/messages"

#Please note that the NAMECACHE, NETCACHE, and SERVICES fields are no longer used.

#-----------------------------------------------------------
# Low likelihood you'll need to change these
#-----------------------------------------------------------
# "ipchains" = actually run the ipchains command, "ipfwadm" = actually
# run the ipfwadm command, "none" = don't run either.  "none" is useful 
# if you're not running Mason as root or are running Mason on some machine 
# other than the actual operating firewall.  User can override either by 
# simply setting the environment variable ahead of time.
# Default: Autodetected to match running kernel.
#DOCOMMAND="ipchains"
#DOCOMMAND="ipfwadm"
#DOCOMMAND="none"

#What policy should we use for logging?  
# Default: same as NEWRULEPOLICY
#LOGGINGPOLICY="accept"
#LOGGINGPOLICY="reject"
#LOGGINGPOLICY="deny"

#The additional character added to the end of an ipchains chain name to
#indicate that it holds rules to block logging.
#Because of limitations on the length of rule names, NOLOGSUFFIX cannot
#be longer than 1 character.  Don't use any character that might be the 
#last character in a normal chain, like the "t" or "d" in inpu_t_, 
#outpu_t_, or forwar_d_.
# Default: "N"
#NOLOGSUFFIX="N"

# "YES" to debug, anything else = dont
# Default: NO
#DEBUG="NO"

#Ports used as the source port for masqueraded packets.
# Default: 61000:65096
#PORT_MASQ_BEGIN=61000
#PORT_MASQ_END=65096
#Ports used as the destination ports for traceroute packets.
# Default: 33434:33524
#TRACEROUTE_BEGIN=33434
#TRACEROUTE_END=33524		#Fine for up to 30 routers, 3 packets each, the default for traceroute.

#When ssh(d?) is run as root, the client port starts off at 1023 and 
#works its way down to (512?).  Mason handles this falling range 
#correctly, but this allows you to predeclare that you want to handle 
#up to 1024-LOWSSHPORT connections simultaneously. 
# Default: 1010, but it will keep dropping down as needed.
#LOWSSHPORT=1010

#Interfaces on which packets from untrusted systems can come _in_, 
#usually identical to the interfaces with a default route.  (That's
#how this is automatically set if you don't set it explicitly.)
#If you use diald, explicitly set this with _only_ the ppp 
#interface(s); packets never _arrive_ on the slx interface(s).
#You should only have to set this by hand if you use something 
#like diald, a cable modem, or a satellite link where you use 
#different interfaces for outgoing and incoming packets.
# Default: your default route interfaces.
#INCOMINGINTERFACES=""
#INCOMINGINTERFACES="ppp0"		#Single interface diald

#As above, these are the interfaces that actually carry packets 
#back to untrusted systems.
#You should only have to set this if you had to set the above.  It
#normally gets set from your routing table automatically too.
# Default: your default route interfaces.
#OUTGOINGINTERFACES=""
#OUTGOINGINTERFACES="ppp0"		#Single interface diald


#-----------------------------------------------------------
# To be implemented
#-----------------------------------------------------------

#Needs some more testing, but feel free to try it out.
#Note: this only works when DOCOMMAND=ipchains, and will
#cause severe network problems if _any_ networks or IP's 
#in your routing table overlap, but point at different interfaces 
#(overlapping routes that point at the _same_ interface are not a 
#problem). This is almost certainly the case if you use proxyarp 
#and may show up in other network setups as well.  It's probably
#not a good idea to enable this if you have any non-default 
#routes where packets go out one interface and come back on 
#another (_default_ routes like this are ok).
# Default: NO if there are overlapping routes, YES if there aren't.
#SPOOFBLOCKS="YES"

#Future: allow non-verbose operation?  Not used as of 0.13.0.
# Default: YES
#VERBOSE="YES"

#Not tested yet, but give it a try if you want all packets 
#from blocked protocols or hosts to be logged.  You should not
#enable this during the learning process - wait until after.
#LOGBLOCKS="-l"

#POISONPROTOCOLS=""	#treat these as blockedhost machines from now on and append 
#to masonrc as BLOCKEDHOSTS... :-)  Hmmm.... 

##SYSTEMRULEFILE="${MASONDIR}systemrules"


#-----------------------------------------------------------
# Deprecated
#-----------------------------------------------------------
##Note - NAMECACHE support has been disabled.
##THIS SECTION WILL BE DELETED.
##NAMECACHE _could_ be /etc/hosts, but this was really intended to be a
##local cache for Mason only.  This really should be in some directory like
##/var/lib/mason.
##NAMECACHE="${MASONDIR}morehosts"

##Note - Mason no longer supports additional services files.  You need to 
##make sure /etc/services holds all your protocols.
##THIS SECTION WILL BE DELETED.
##These files, in /etc/services format, hold additional ports that may 
##not be defined in the stock /etc/services.  If you would prefer to 
##use just the services in your own /etc/services, uncomment the 
##first line.  Your /etc/services entries always take precedence over 
##any entries in moreservices.  If you choose not to use the moreservices 
##file, make _sure_ your /etc/services has _all_ the protocols you might 
##use.  ssh, portmapper, nfs, and nfs mount services are especially 
##crucial.  Default is just /etc/services.
##SERVICES="/etc/services"
##SERVICES="/etc/services ${MASONDIR}nmap-services ${MASONDIR}moreservices"

##Obsoleted - do not use any more.  If you have made any manual changes to
##this file, please transfer the contents to the NETWORKS variable below.
##NETCACHE="${MASONDIR}netconvert"


#Copyleft:
#    Mason interactively creates a Linux packet filtering firewall.
#    Copyright (C) 1998-2000 William Stearns <wstearns@pobox.com>
#
#    This program is free software; you can redistribute it and/or modify
#    it under the terms of the GNU General Public License as published by
#    the Free Software Foundation; either version 2 of the License, or
#    (at your option) any later version.
#
#    This program is distributed in the hope that it will be useful,
#    but WITHOUT ANY WARRANTY; without even the implied warranty of
#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#    GNU General Public License for more details.
#
#    You should have received a copy of the GNU General Public License
#    along with this program; if not, write to the Free Software
#    Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
#
#    The author can also be reached at:
#        William Stearns
#email:  wstearns@pobox.com              (preferred)
#web:    http://www.stearns.org/mason/
#snail:  6 Manchester Dr.
#        Lebanon NH, 03766

