This file is indexed.

/etc/masonrc is in mason 1.0.0-12.2.

This file is owned by root:root, with mode 0o644.

The actual contents of the file can be viewed below.

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
#===========================================================
# WARNING - If you are upgrading from a previous version, the uncommented
# lines in your old masonrc have been appended to the end of this file.  
#===========================================================

#Please note that the NAMECACHE, NETCACHE, and SERVICES fields are no longer used.

#For instructions on how to set the parameters in this file, refer to 
#mason.txt that came with this package; try looking in 
#/usr/doc/mason-{version}/mason.txt or refer to 
#http://www.pobox.com/~wstearns/mason/  The only fields you must change
#are in the "Essential Settings" section immediately following.  The other 
#fields may be left unset; Mason will assign defaults for them.  The defaults 
#are generally used below, but see the documentation for more details.
#Please see mason.txt or http://www.pobox.com/~wstearns/mason/ for 
#more information and copyright information.
#	- William Stearns (wstearns@pobox.com)

# Reminder; this file is for system wide defaults.  
# If you wish to set something for this 
# run only, simply set it on the command line just before calling mason.  For 
# example, putting DYNIF="ppp0" in this file has the 
# same effect on this execution of the program as running 
# DYNIF="ppp0" mason<Enter>.  If a field is set on the command line and
# in this file, this file wins - sorry.

#	The fields at the top are the ones you're most likely to need to edit.
#	The values in this script can be changed on the fly without
#having to stop and restart Mason; simply make your changes, save the
#file and run "killall -USR1 mason".  Mason will only reread this 
#file when it receives this signal.
#	To have Mason gracefully exit, run "killall -HUP mason".

#-----------------------------------------------------------
# Essential settings - please set these.
#-----------------------------------------------------------
#A quote enclosed, space separated list of interfaces that change 
#IP address from time to time.  Leave as "" if all addresses stay constant.
#See DYNIFMODE if you want to fine tune how Mason handles these.
#Default: no dynamic interfaces, all have static addresses.
#DYNIF="ppp0"
#DYNIF=""

#What policy should mason use for upcoming rules?  
#There is no default for this field.  You must choose one of 
#the following.
#NEWRULEPOLICY="accept"
#NEWRULEPOLICY="reject"
#NEWRULEPOLICY="deny"

#What should the default policy for your firewall be?
#There is no default for this field.  You must choose one of 
#the following.
#DEFAULTPOLICY="accept"
#DEFAULTPOLICY="reject"
#DEFAULTPOLICY="deny"

#What should the default policy for your system be when the 
#firewall is flushed?
#There is no default for this field.  You must choose one of 
#the following.
#FLUSHEDPOLICY="accept"
#FLUSHEDPOLICY="reject"
#FLUSHEDPOLICY="deny"

#===========================================================
# New settings for the debian version of mason - BEGIN
#===========================================================
# Property: SERVICE_RESTART_DIR 
#-----------------------------------------------------------
# Type    : string
# value   : the name of a directory
# Default : /etc/mason.d/restart.d
# Descr.  : All scripts in this directory will be executed 
#           with the command line parameter 'restart'. 
# Hints   : - A common way to use this feature is to link to 
#             init scripts, for example:
#             ln -s /etc/init.d/fail2ban /etc/mason.d/restart.d/
#-----------------------------------------------------------
# SERVICE_RESTART_DIR="/etc/mason.d/restart.d"

#-----------------------------------------------------------
# Property: PACKETSTATS_SAVE 
#-----------------------------------------------------------
# Type    : string
# value   : "yes" or "no"
# Default : "no"
# Descr.  : If the value of this property is set to "yes" 
#           the counters for each rule a saved before the
#           iptables chains are flushed 
#-----------------------------------------------------------
# PACKETSTATS_SAVE="no"

#-----------------------------------------------------------
# Property: PACKETSTATS_MAX_AGE
#-----------------------------------------------------------
# Type    : integer
# value   : maximum age of saved saved counters in days
# Default : 30
# Descr.  : If the value of this property is set, saved
#           counters are deleted when older as set here
#-----------------------------------------------------------
# PACKETSTATS_MAX_AGE=30

#-----------------------------------------------------------
# Property: PACKETSTATS_LOGDIR
#-----------------------------------------------------------
# Type    : string
# value   : the name of a directory
# Default : /var/log/mason
# Descr.  : The directory where the counters are saved
#-----------------------------------------------------------
# PACKETSTATS_LOGDIR="/var/log/mason"

#===========================================================
# New settings for the debian version of mason - END
#===========================================================

#-----------------------------------------------------------
# Moderate likelihood you may wish to tune these, probably once.
#-----------------------------------------------------------
#DYNIFMODE Sets what Mason does with interfaces that change IP 
#address from time to time, such as network interfaces that use
#dhcp or dial up links.
#If set to SMALLESTRANGE, Mason attempts to calculate the smallest
#IP network that contains all IP addresses seen so far for that 
#interface.  Probably the best choice.  Actually, the best choice
#is to not use dynamic addresses on a firewall, but sometimes it's 
#unavoidable.
#SPECIFICIP instructs Mason to only allow a single IP for each 
#interface.  This is the most secure but also requires you to 
#restart the firewall whenever the IP address changes.
#None of the above choices is permanent; there is a setting at the
#top of the firewall rule file that can be changed at any time.
# Default: SMALLESTRANGE
#DYNIFMODE="SMALLESTRANGE"
#DYNIFMODE="SPECIFICIP"


#BLOCKEDHOSTS is a list of space separated machines that should not 
#be able to communicate _at_ _all_ with this machine or through
#this machine.  I'd reserve this for machines that have 
#attacked your machines in the past.  Use space separated 
#machine.name/32 or 1.2.3.4/32 or 1.2.3.0/24 or network/netmask format.
#This could also very reasonably be used to block all access to/from
#one of your own machines that is particularly sensitive and 
#should only be allowed to communicate with other machines on 
#its own subnet.
#_ALL_ communication of any sort that would normally pass in, out or 
#through this firewall is cut off.  _ALL_.
# Default: Empty
#BLOCKEDHOSTS=""

# "ipchains" = echo ipchains command to STDOUT, "ipfwadm" = echo
# ipfwadm command to STDOUT, "none" = don't echo either.
# Use "cisco" if you want Mason to spit out Cisco IOS access-list rules.
# Autodetected if not set at all.
# This is what you change if you want a different format in the
# output rule file.
# Default: Whatever this kernel supports.
#ECHOCOMMAND=""

# What should the IP address be converted to?
# network: the smallest network in the routing table that contains the address.
# host: the hostname or IP address for the machine
# none: leave IP address as is.
# custom: to be implemented.
# dynamic IP's are replaced with ${ifNADDR} solely based on the value of DYNIF
# Default: NETWORK
#IPCONV="HOST"
#IPCONV="NETWORK"
#IPCONV="NONE"
#IPCONV="CUSTOM"

#For any IP addresses not converted into a network or otherwise
#specially handled, should we leave them as IP addresses ("NONE"),
#convert them to host names if they're in /etc/hosts
#("FILESONLY"), or use that file, then try
#a DNS lookup to get the name ("FULL")?
# Default: FULL
#HOSTLOOKUP="NONE"
#HOSTLOOKUP="FILESONLY"
#HOSTLOOKUP="FULL"

#If you want a Mason firewall to automatically masquerade traffic from 
#reserved (rfc1918) addresses, set AUTOMASQIF to a space separated list of 
#interfaces _to_ which this traffic might go.  For example, if eth0 and 
#eth2 are using reserved addresses, and eth3 and ppp0 are your gateways
#to the outside world, you might set:
#AUTOMASQIF="eth3 ppp0"
#Do not simply set this to all your interfaces; that's a security risk.
#If you would rather handle this yourself, set it to "".  If blank or 
#not set at all, Mason will not automatically masquerade packets.
#This setting has not effect if the rule to be added is a REJECT or DENY 
#rule.  This is also not used in Cisco output.
#Don't forget to include any virtual interfaces such as shaperX (or 
#ipsecX or cipeX?)
# Default: if unset, Mason will leave empty.
#AUTOMASQIF=""

#DOBEEP="YES": beep at user with each new rule, "NO": dont
# Default: YES
#DOBEEP="YES"

# "yes" = echo dot to STDERR when processing a repeat line,
# "no" = don't.
# Default: YES
#HEARTBEAT="YES"

#Use ANSI escape sequences to enhance display.  Default YES.
#Set this to no if your terminal doesn't support ANSI colors, etc.
#USEANSI="YES"
USEANSI="NO"

# The range of ports considered to be IRC server ports.
# Default: 6666 to 6671
#IRC_BEGIN=6666
#IRC_END=6671

#The maximum number of X, Openwindows, or VNC consoles supported.  The 
#default setting of 6 allows for ports 6000-6005 if any X traffic seen, 
#2000-2005 if any openwindows traffic seen, 5800-5805 for any vnc java 
#traffic, and 5900-5905 if any vnc traffic seen.
# Default: 6
#MAXDISPLAYS=6

#If you only connect to a few (say 1-5) servers with a given protocol, 
#add it to the following (SSP=Sparse Server Protocols) so that Mason will 
#not generalize it to a network.
#Example: When you get your mail, you probably only connect to a few 
#pop-3 or imap servers to get it.  When you do a whois lookup, you 
#probably only connect to a single machine.
#If only a few _client_ machines connect to a particular service, place
#the port in SCP (Sparse _Client_ Protocols).
#This feature does not differentiate between servers on your network and
#servers in the real world.
#A given protocol can be in both.  These must be numeric.
#Warning:  If you're running your own DNS server on this machine or on 
#some machine behind it, do _not_ make Domain an SSP - leave it commented.
#DNS, NTP, syslog and the Netbios protocols may use the same port number 
#for client and server.  Declaring any of these as SSP's or SCP's will 
#probably cause _both_ ends to be specific hosts.
#This can occasionally cause problems if the server in question has 
#multiple machines with the same name and different IP addresses - 
#ICQ has this problem.
# Default: both empty.
#SSP="${SSP} "
#SSP="${SSP} 9/icmp"										#Router advertisement (probably should be both an SCP and SSP)
#SSP="${SSP} 25/tcp"										#SMTP
#SSP="${SSP} 43/tcp"										#Whois
#SSP="${SSP} 53/tcp 53/udp"									#DNS/Domain - read note above
#Do NOT put DNS in SSP if you run a DNS server on the firewall or behind it.
#SSP="${SSP} 67/udp"										#BOOTP Server
#SSP="${SSP} 69/udp"										#TFTP Server
#SSP="${SSP} 88/tcp 88/udp"									#Kerberos: should 749:751/tcp and 749:751/udp be here too?
#SSP="${SSP} 109/tcp 110/tcp 143/tcp"						#POP and IMAP Email
#SSP="${SSP} 111/tcp 111/udp 635/tcp 635/udp 2049/tcp 2049/udp"	#NFS: Sunrpc, Mount, and NFS
#SSP="${SSP} 119/tcp"										#NNTP
#SSP="${SSP} 123/tcp 123/udp"								#NTP - read note above
#SSP="${SSP} 135/tcp 137/tcp 137/udp 138/tcp 138/udp 139/tcp 139/udp"		#Netbios - read note above
#SSP="${SSP} 370/udp 2432/udp 2433/udp"						#Coda: codaauth2 codasrv codasrv-se
#SSP="${SSP} 389/tcp"										#LDAP
#SSP="${SSP} 514/udp"										#syslog
#SSP="${SSP} 515/tcp"										#Printer/LPD
#SSP="${SSP} 2064/tcp"										#RC5DES
#SSP="${SSP} 3128/tcp 3130/udp"								#Squid
#SSP="${SSP} 4000/udp"										#ICQ
#SSP="${SSP} 7100/tcp"										#xfs
#SSP="${SSP} 8080/tcp"										#Novell Border Manager/FastCache (thanks to Eric Hart for this port number)
#SSP="${SSP} 8765/tcp"										#search.cnn.com's search web server.
#SSP="${SSP} 12343/tcp"										#stats.hitbox.com

#SCP="${SCP} "
#SCP="${SSP} 9/icmp"										#Router advertisement (probably should be both an SCP and SSP)
#SCP="${SCP} 161/udp 162/udp"								#SNMP
#SCP="${SCP} 98/tcp"										#Linuxconf

#You probably have a number of internal services to which the outside world
#should not connect.  List them here, space separated.  For the moment, these
#_must_ be number/protocol.  Ruleshell will block access to these coming from
#any interface associated with a 0.0.0.0 route.
#You can create your own or simply uncomment any lines you want to block.  
#Unlike the other operating parameters, Mason will not provide a default.
#Auth (113/tcp) is one you _might_ want to leave open (i.e., leave 
#_commented_ below).
#I've included protocols that generally have some security implication
#if open to the outside world.  You can use some, none, or all, and add 
#anything else you don't want the world to see.
#Uncommenting service W below only means that people from the outside 
#world can't get to your W servers; you can still make requests out to
#W servers on the Internet.  
#DNS, NTP, syslog and the Netbios protocols may use the same port number 
#for client and server.  Leave these lines commented if you want to make 
#outbound _client_ requests to these servers.
#You have the ability to block _entire_ protocols, such as tcp, udp, icmp, 
#gre, anything in /etc/protocols.  Most people should _not_ need to use 
#this.  In particular, you run a severe risk of violating a number of IP
#requirements by blocking all icmp packets.  Also, the only available 
#protocols for ipfwadm are tcp, udp, and icmp.
# Default: empty.

#NOINCOMING="${NOINCOMING} "	#put your favorites here...
#NOINCOMING="${NOINCOMING} 0/tcp 0/udp"						#Probably a good one to block
#NOINCOMING="${NOINCOMING} 7/tcp 7/udp"						#Echo
#NOINCOMING="${NOINCOMING} 8/icmp"							#Ping request
#NOINCOMING="${NOINCOMING} 15/tcp"							#Netstat
#NOINCOMING="${NOINCOMING} 20/tcp 21/tcp"					#FTP (FTP daemons can have buffer overflows)
#NOINCOMING="${NOINCOMING} 22/tcp"							#SSH
#NOINCOMING="${NOINCOMING} 22/udp 5631/tcp 5632/udp"		#PCAnywhere
#NOINCOMING="${NOINCOMING} 23/tcp"							#Telnet
#NOINCOMING="${NOINCOMING} 25/tcp"							#SMTP
#NOINCOMING="${NOINCOMING} 53/tcp 53/udp"					#DNS (tcp is for zone transfers; large requests too?) (BIND 53/tcp can have buffer overflows)
#NOINCOMING="${NOINCOMING} 67/udp"							#BOOTP Server
#NOINCOMING="${NOINCOMING} 69/udp"							#TFTP
#NOINCOMING="${NOINCOMING} 79/tcp"							#Finger
#NOINCOMING="${NOINCOMING} 80/tcp"							#Web (Many attacks
#NOINCOMING="${NOINCOMING} 87/tcp"							#link
#NOINCOMING="${NOINCOMING} 98/tcp"							#LinuxConf
#NOINCOMING="${NOINCOMING} 109/tcp 110/tcp 143/tcp"			#Pop & IMAP mail (QPOP and IMAP may have buffer overflows)
#NOINCOMING="${NOINCOMING} 111/tcp 111/udp"					#Sunrpc
#NOINCOMING="${NOINCOMING} 113/tcp"							#Auth (NOTE: if enabled here, this protocol will be REJECTed rather than DENY'd)
#NOINCOMING="${NOINCOMING} 119/tcp"							#NNTP / Usenet news
#NOINCOMING="${NOINCOMING} 123/tcp 123/udp"					#NTP
#NOINCOMING="${NOINCOMING} 135/tcp 137/tcp 137/udp 138/tcp 138/udp 139/tcp 139/udp"	#Netbios (137/udp and 139/tcp may be involved in attacks)
#NOINCOMING="${NOINCOMING} 161/udp 162/udp"					#SNMP
#NOINCOMING="${NOINCOMING} 177/tcp 177/udp"					#XDM X login (also used in GDM)
#NOINCOMING="${NOINCOMING} 443/tcp 563/tcp"					#Secure Web
#NOINCOMING="${NOINCOMING} 512:514/tcp"						#Rexec, Rlogin, Rsh
#NOINCOMING="${NOINCOMING} 512/udp"							#biff
#NOINCOMING="${NOINCOMING} 513/udp"							#who
#NOINCOMING="${NOINCOMING} 514/udp"							#syslog
#NOINCOMING="${NOINCOMING} 515/tcp"							#LPD
#NOINCOMING="${NOINCOMING} 520/udp"							#Route / RIP
#NOINCOMING="${NOINCOMING} 540/tcp"							#UUCP
#NOINCOMING="${NOINCOMING} 554/tcp 7070/tcp 7071/tcp"		#RealAudio control ports
#NOINCOMING="${NOINCOMING} 635/tcp 635/udp"					#NFS Mount
#NOINCOMING="${NOINCOMING} 901/tcp"							#Swat (samba configuration)
#NOINCOMING="${NOINCOMING} 1080/tcp"						#Socks
#NOINCOMING="${NOINCOMING} 1080/tcp 1080/udp 8080/tcp 8080/udp"	#WinGate
#NOINCOMING="${NOINCOMING} 1433/tcp 3306/tcp 5432/tcp"		#SQL (mssql, mysql, postgresql)
#NOINCOMING="${NOINCOMING} 2000:2010/tcp 6000:6010/tcp "	#X and Openwindows
#NOINCOMING="${NOINCOMING} 2049/udp 2049/tcp"				#NFS
#NOINCOMING="${NOINCOMING} 3128/tcp 3130/udp"				#Squid web cache
#NOINCOMING="${NOINCOMING} 5135/udp"						#SGI (only, probably) object server
#NOINCOMING="${NOINCOMING} 5232/tcp"						#SGI (only, probably) distributed graphics
#NOINCOMING="${NOINCOMING} 7100/tcp"						#xfs (X Font server)
#NOINCOMING="${NOINCOMING} 8080/tcp"						#Novell Border Manager/FastCache (thanks to Eric Hart for this port number)
#NOINCOMING="${NOINCOMING} 32771/tcp 32771/udp"				#Sun RPC High port
#NOINCOMING="${NOINCOMING} 33434:33524/udp"					#traceroute


#NOINCOMING="${NOINCOMING} /tcp"						#



#NOINCOMING="${NOINCOMING} gre"								#_all_ gre protocol packets - just an example

#Backdoors
#NOINCOMING="${NOINCOMING} 31/udp 456/udp"					#Hacker's Paradise Backdoor
#NOINCOMING="${NOINCOMING} 555/tcp 555/udp"					#iNi Killer/Phase Zero/Stealth Spy Backdoor
#NOINCOMING="${NOINCOMING} 666/udp"							#Satanz Backdoor
#NOINCOMING="${NOINCOMING} 1001/udp"						#Silencer, WebEX Backdoors
#NOINCOMING="${NOINCOMING} 1170/udp"						#Psyber Stream Backdoor
#NOINCOMING="${NOINCOMING} 1234/udp"						#Ultors Trojan Backdoor
#NOINCOMING="${NOINCOMING} 1243/tcp 6776/tcp 27374/tcp"				#SubSeven Backdoor
#NOINCOMING="${NOINCOMING} 1245/udp"						#VooDoo Doll Backdoor
#NOINCOMING="${NOINCOMING} 1492/udp"						#FTP99cmp Backdoor
#NOINCOMING="${NOINCOMING} 1524/tcp 27665/tcp 27444/udp 31335/udp"	#Trin00 (thanks to pmfirewall)
#NOINCOMING="${NOINCOMING} 1600/udp"						#Shivka-Burka
#NOINCOMING="${NOINCOMING} 1807/udp"						#Spy Sender Backdoor
#NOINCOMING="${NOINCOMING} 1981/udp"						#ShockRave
#NOINCOMING="${NOINCOMING} 1999/udp"						#Back Door Backdoor
#NOINCOMING="${NOINCOMING} 2001/udp"						#Trojan Cow Backdoor
#NOINCOMING="${NOINCOMING} 2023/udp"						#Ripper Pro Backdoor
#NOINCOMING="${NOINCOMING} 2115/udp"						#Bugs Backdoor
#NOINCOMING="${NOINCOMING} 2140/udp"						#Deep Throat, The Invasor Backdoor
#NOINCOMING="${NOINCOMING} 2565/udp"						#Striker Backdoor
#NOINCOMING="${NOINCOMING} 2801/udp"						#Phineas Phucker Backdoor.  Hey, I did _not_ name them.
#NOINCOMING="${NOINCOMING} 2989/udp"						#Rat backdoor
#NOINCOMING="${NOINCOMING} 3024/udp"						#WinCrash Backdoor
#NOINCOMING="${NOINCOMING} 3150/udp"						#Deep Throat/Invasor Backdoor
#NOINCOMING="${NOINCOMING} 3700/udp"						#Portal Of Doom Backdoor
#NOINCOMING="${NOINCOMING} 4092/udp"						#WinCrash Backdoor
#NOINCOMING="${NOINCOMING} 4950/udp"						#ICQ Trojan Backdoor
#NOINCOMING="${NOINCOMING} 5000/udp 5001/udp 50505/udp"		#Sockets De Troie Backdoor
#NOINCOMING="${NOINCOMING} 5321/udp"						#FireHotcker Backdoor
#NOINCOMING="${NOINCOMING} 5400:5402/udp"					#Blade Runner Backdoor
#NOINCOMING="${NOINCOMING} 5569/udp"						#Robo-Hack Backdoor
#NOINCOMING="${NOINCOMING} 5742/udp"						#WinCrash Backdoor
#NOINCOMING="${NOINCOMING} 6670/udp"						#Deep Throat Backdoor
#NOINCOMING="${NOINCOMING} 6711/udp"						#Deep Throat/SubSeven Backdoor
#NOINCOMING="${NOINCOMING} 6969/tcp"						#GateCrasher Backdoor
#NOINCOMING="${NOINCOMING} 7000/udp"						#Remote Grab Backdoor
#NOINCOMING="${NOINCOMING} 7300:7308/udp"					#Net Monitor Backdoor
#NOINCOMING="${NOINCOMING} 7789/udp"						#ICKiller Backdoor
#NOINCOMING="${NOINCOMING} 9872/udp 10067/udp 10167/udp"	#Portal Of Doom Backdoor
#NOINCOMING="${NOINCOMING} 10752/tcp"						#Linux mountd backdoor
#NOINCOMING="${NOINCOMING} 11223/udp"						#Progenic Trojan Backdoor
#NOINCOMING="${NOINCOMING} 12223/udp"						#Hack99-Keylogger Backdoor
#NOINCOMING="${NOINCOMING} 12345:12346/tcp"					#Netbus/GabanBus NT trojan/Backdoor	#udp too? (from pmfirewall)
#NOINCOMING="${NOINCOMING} 12361:12362/tcp"					#Whack-a-mole Backdoor
#NOINCOMING="${NOINCOMING} 16969/udp"						#Portal Of Doom/Priority Backdoor
#NOINCOMING="${NOINCOMING} 20000:20001/udp"					#Millenium Backdoor
#NOINCOMING="${NOINCOMING} 20034/udp"						#NetBus PRO Backdoor
#NOINCOMING="${NOINCOMING} 21544/udp 21554/tcp"				#Girlfriend Backdoor
#NOINCOMING="${NOINCOMING} 22222/udp"						#Prosiak Backdoor
#NOINCOMING="${NOINCOMING} 23456/tcp"						#EvilFTP Backdoor
#NOINCOMING="${NOINCOMING} 26274/udp"						#Delta Backdoor
#NOINCOMING="${NOINCOMING} 30100/tcp"						#NetSphere Backdoor
#NOINCOMING="${NOINCOMING} 30102/tcp"						#NetSphere FTP Backdoor
#NOINCOMING="${NOINCOMING} 31337/tcp"						#BIND Shell Backdoor
#NOINCOMING="${NOINCOMING} 31337:31338/udp"					#Back Orifice/Deep Back Orifice Backdoor
#NOINCOMING="${NOINCOMING} 31339/udp"						#NetSpy Backdoor
#NOINCOMING="${NOINCOMING} 31666/udp"						#BOWhack Backdoor
#NOINCOMING="${NOINCOMING} 28431/udp 31785/tcp 31787/tcp 31789/udp 31791/udp" #Hackattack, trojan
#NOINCOMING="${NOINCOMING} 33333/udp"						#Prosiak Backdoor
#NOINCOMING="${NOINCOMING} 34324/udp"						#Big Gluck/TelnetSrv Backdoor
#NOINCOMING="${NOINCOMING} 40412/udp"						#The Spy Backdoor
#NOINCOMING="${NOINCOMING} 40421:40423/udp 40426/udp"		#Masters Paradise Backdoor
#NOINCOMING="${NOINCOMING} 47262/udp"						#Delta Backdoor
#NOINCOMING="${NOINCOMING} 50776/udp"						#Fore Backdoor
#NOINCOMING="${NOINCOMING} 53001/udp"						#Remote Win Shutdown Backdoor
#NOINCOMING="${NOINCOMING} 61446/udp"						#TeleCommando Backdoor
#NOINCOMING="${NOINCOMING} 65000/udp"						#Devil

#Blackhole:
#If you want your machine to disappear - be basically undetectable from
#other hosts on the Internet - the following NOINCOMING and NOOUTGOING 
#lines  _might_ be a good starting point onto which you can add the 
#standard services you don't want to be seen.  All of the following 
#are listed above, this is just here for convenience.
#NOINCOMING="${NOINCOMING} 0/tcp 0/udp 7/tcp 7/udp 8/icmp 15/tcp 33434:33524/udp"
#NOOUTGOING="${NOOUTGOING} 0/icmp 3.0/icmp 3.1/icmp 3.2/icmp 3.3/icmp 3.5/icmp 3.6/icmp 3.7/icmp 3.8/icmp 3.9/icmp 3.10/icmp 3.11/icmp 3.12/icmp 3.13/icmp 3.14/icmp 3.15/icmp 9/icmp 11.0/icmp 11/icmp 18/icmp"

#NoTrojan:
#If you want all of the backdoors, uncomment the following line (all of the 
#following are listed above, this is just here for convenience): 
#NOINCOMING="${NOINCOMING} 31/udp 456/udp 555/tcp 555/udp 666/udp 1001/udp 1170/udp 1234/udp 1243/tcp 6776/tcp 1245/udp 1492/udp 1524/tcp 27665/tcp 27444/udp 31335/udp 1600/udp 1807/udp 1981/udp 1999/udp 2001/udp 2023/udp 2115/udp 2140/udp 2565/udp 2801/udp 2989/udp 3024/udp 3150/udp 3700/udp 4092/udp 4950/udp 5000/udp 5001/udp 50505/udp 5321/udp 5400:5402/udp 5569/udp 5742/udp 6670/udp 6711/udp 6969/tcp 7000/udp 7300:7308/udp 7789/udp 9872/udp 10067/udp 10167/udp 10752/tcp 11223/udp 12223/udp 12345:12346/tcp 12361:12362/tcp 16969/udp 20000:20001/udp 20034/udp 21544/udp 21554/tcp 22222/udp 23456/tcp 26274/udp 30100/tcp 30102/tcp 31337/tcp 31337:31338/udp 31339/udp 31666/udp 28431/udp 31785/tcp 31787/tcp 31789/udp 31791/udp 33333/udp 34324/udp 40412/udp 40421:40423/udp 40426/udp 47262/udp 50776/udp 53001/udp 61446/udp 65000/udp"


#You may also have a few protocols that you definitely want to
#stop from ever leaving your firewall.  For the moment, these
#can only be icmp_typecode/icmp or icmp_typecode.icmp_subcode/icmp .
#Not tcp, not udp, just icmp.  ipfwadm cannot handle icmp subcodes - don't use them.
#Uncommenting one of more of the following makes it harder for 
#someone to map your network - but not impossible.  Uncommenting
#them _may_ also contribute to delays in normal communications.
#NOOUTGOING="${NOOUTGOING} 0/icmp"							#Ping reply
#NOOUTGOING="${NOOUTGOING} 3.0/icmp"						#network-unreachable
#NOOUTGOING="${NOOUTGOING} 3.1/icmp"						#host-unreachable (This may also be used for path mtu discovery?)
#NOOUTGOING="${NOOUTGOING} 3.2/icmp"						#protocol-unreachable
#NOOUTGOING="${NOOUTGOING} 3.3/icmp"						#port-unreachable
#3.4/icmp (Fragmentation needed and DF set) is _not_ a good one to block - it screws up path MTU discovery.
#NOOUTGOING="${NOOUTGOING} 3.5/icmp"						#source-route-failed
#NOOUTGOING="${NOOUTGOING} 3.6/icmp"						#network-unknown
#NOOUTGOING="${NOOUTGOING} 3.7/icmp"						#host-unknown
#NOOUTGOING="${NOOUTGOING} 3.8/icmp"						#source-host-isolated
#NOOUTGOING="${NOOUTGOING} 3.9/icmp"						#network-prohibited
#NOOUTGOING="${NOOUTGOING} 3.10/icmp"						#host-prohibited
#NOOUTGOING="${NOOUTGOING} 3.11/icmp"						#TOS-network-unreachable
#NOOUTGOING="${NOOUTGOING} 3.12/icmp"						#TOS-host-unreachable
#NOOUTGOING="${NOOUTGOING} 3.13/icmp"						#communication-prohibited
#NOOUTGOING="${NOOUTGOING} 3.14/icmp"						#host-precedence-violation
#NOOUTGOING="${NOOUTGOING} 3.15/icmp"						#precedence-cutoff
#NOOUTGOING="${NOOUTGOING} 9/icmp"							#Router advertisement
#NOOUTGOING="${NOOUTGOING} 11.0/icmp 11/icmp"				#Time exceeded
#NOOUTGOING="${NOOUTGOING} 18/icmp"							#Address mask reply



#If you do not already have EDITOR set in your environment, you 
#can set it here.  If it's not set in either place, Mason
#will try to find mcedit, pico, vi, jove, nedit, and emacs in
#your path.
# Default: try to find some of the standard ones.
#EDITOR="/usr/bin/mcedit -c "		#I like mine in color :-)

#The number of characters to display on a line.  Leave enough space for a
#space at the end of the line.
# Default: 72
#LINELENGTH=72

#How should mason sort the newrulesfile?
# Default: PROTOCOL
#SORTMODE="NONE" - This isn't implemented right now, and you wouldn't want it.
#SORTMODE="PROTOCOL" #Group by protocol
#SORTMODE="PACKETCOUNTS" #Put rules with the largest number of packets up top.

#MINMARK
#Mason can add mark numbers to ipchains rules.  If you want to use
#the feature of adding packet counts to rules (for migrating the rules 
#with the highest counts upwards) this must be set to some positive number.  
#In order to make the mark values unique, Mason will raise this above any
#existing mark values.
# Default: do not set marks.
#MINMARK=32768

#When set to YES, Mason will generalize both the source and the 
#destination ports to 61000-65096, 1024-65535, or 0-1023, but only if the 
#packet is a tcp ack packet.  This basically eliminates the ack rules 
#by reducing them to just a few, rather than one for each protocol.
#My best understanding is that this generalization:
# - will reduce the number of rules in your firewall by about 30%.
# - will _probably_ _not_ increase the risk that someone can _make_ _a_
#_connection_ that they could not have made before.
# - _will_ increase the risk that someone can map your internal network 
#ports even if they can't make connections to them.
#Use at your own risk.  Default NO.
#GENERALIZETCPACK="YES"


#-----------------------------------------------------------
# Filenames
#-----------------------------------------------------------
#Location of runtime changeable files and configuration.
#Make sure you include the trailing slash.
# Default: "/var/lib/mason/"
MASONDIR="/var/lib/mason/"

#This is the configuration file mason uses.  It can be changed while
#Mason is running as long as the SIGUSR1 signal is sent to Mason afterwards.
#It's probably not a good idea to change the value of this variable on the fly.
#Setting this here is of dubious value - this is better set as a 
#shell environment variable before running mason.
# Default: /etc/masonrc
#MASONCONF="/etc/masonrc"

#The support library of routines used by mason and mason-gui-text
# Default: "/var/lib/mason/masonlib"
#MASONLIB="${MASONDIR}masonlib"


#This field replaces the original NETCACHE file.  
#Most people can leave this blank; if null, Mason populates it with the
#correct values.  If you need Mason to use different networks, perhaps 
#to run Mason on another machine, place triplets of the form 
#"network-broadcast/netmask" in this variable, separating them 
#with spaces.  "network/netmask", "network/numbits" and 
#"network-broadcast/numbits" are all legal:
#NETWORKS="172.16.0.0-172.16.255.255/255.255.0.0 192.168.11.0-192.168.11.255/255.255.255.0"
#NETWORKS="12.13.14.15/32 206.99.99.0/24 15.16.17.18/255.255.255.255 1.2.3.0-1.2.3.1/31"
#Please place the most specific entries _first_.  If you have certain machines
#or subnets that need to be treated specially, place them here.  If you 
#set this at all, make sure you include _all_ networks this machine needs 
#to recognize.
# Default: Mason automatically detects your existing network structure
#NETWORKS=""

#If you want Mason to add the networks known at run-time to any custom list
#of networks above, uncomment the following line:
#NETWORKS="${NETWORKS} RUNTIME.NETWORKS"

#BASERULEFILE="${MASONDIR}baserules"

#NEWRULEFILE="${MASONDIR}newrules"

#PACKETCOUNTFILE="${MASONDIR}packetcounts"

#All of the following are autodetected if not set.
#If you want to get an explicit listing of exactly what rules are used to 
#create the boot time firewall, try:
#IPCHAINSBIN="echo /sbin/ipchains"
#and run 
#/etc/rc.d/init.d/firewall start
#
#MASONEXE="/usr/bin/mason"
#MASONDECIDE="/var/lib/mason/mason-decide"
#IPFWADMBIN="/sbin/ipfwadm"
#IPCHAINSBIN="/sbin/ipchains"
#Note - ipnatctl is not used any more.
#IPNATCTLBIN="/usr/local/bin/ipnatctl"
#IPTABLESBIN="/usr/local/bin/iptables"

#MASONPIDFILE="/var/run/mason.pid"

#Default input file to tail.
#PACKETLOGFILE="/var/log/messages"

#Please note that the NAMECACHE, NETCACHE, and SERVICES fields are no longer used.

#-----------------------------------------------------------
# Low likelihood you'll need to change these
#-----------------------------------------------------------
# "ipchains" = actually run the ipchains command, "ipfwadm" = actually
# run the ipfwadm command, "none" = don't run either.  "none" is useful 
# if you're not running Mason as root or are running Mason on some machine 
# other than the actual operating firewall.  User can override either by 
# simply setting the environment variable ahead of time.
# Default: Autodetected to match running kernel.
#DOCOMMAND="ipchains"
#DOCOMMAND="ipfwadm"
#DOCOMMAND="none"

#What policy should we use for logging?  
# Default: same as NEWRULEPOLICY
#LOGGINGPOLICY="accept"
#LOGGINGPOLICY="reject"
#LOGGINGPOLICY="deny"

#The additional character added to the end of an ipchains chain name to
#indicate that it holds rules to block logging.
#Because of limitations on the length of rule names, NOLOGSUFFIX cannot
#be longer than 1 character.  Don't use any character that might be the 
#last character in a normal chain, like the "t" or "d" in inpu_t_, 
#outpu_t_, or forwar_d_.
# Default: "N"
#NOLOGSUFFIX="N"

# "YES" to debug, anything else = dont
# Default: NO
#DEBUG="NO"

#Ports used as the source port for masqueraded packets.
# Default: 61000:65096
#PORT_MASQ_BEGIN=61000
#PORT_MASQ_END=65096
#Ports used as the destination ports for traceroute packets.
# Default: 33434:33524
#TRACEROUTE_BEGIN=33434
#TRACEROUTE_END=33524		#Fine for up to 30 routers, 3 packets each, the default for traceroute.

#When ssh(d?) is run as root, the client port starts off at 1023 and 
#works its way down to (512?).  Mason handles this falling range 
#correctly, but this allows you to predeclare that you want to handle 
#up to 1024-LOWSSHPORT connections simultaneously. 
# Default: 1010, but it will keep dropping down as needed.
#LOWSSHPORT=1010

#Interfaces on which packets from untrusted systems can come _in_, 
#usually identical to the interfaces with a default route.  (That's
#how this is automatically set if you don't set it explicitly.)
#If you use diald, explicitly set this with _only_ the ppp 
#interface(s); packets never _arrive_ on the slx interface(s).
#You should only have to set this by hand if you use something 
#like diald, a cable modem, or a satellite link where you use 
#different interfaces for outgoing and incoming packets.
# Default: your default route interfaces.
#INCOMINGINTERFACES=""
#INCOMINGINTERFACES="ppp0"		#Single interface diald

#As above, these are the interfaces that actually carry packets 
#back to untrusted systems.
#You should only have to set this if you had to set the above.  It
#normally gets set from your routing table automatically too.
# Default: your default route interfaces.
#OUTGOINGINTERFACES=""
#OUTGOINGINTERFACES="ppp0"		#Single interface diald


#-----------------------------------------------------------
# To be implemented
#-----------------------------------------------------------

#Needs some more testing, but feel free to try it out.
#Note: this only works when DOCOMMAND=ipchains, and will
#cause severe network problems if _any_ networks or IP's 
#in your routing table overlap, but point at different interfaces 
#(overlapping routes that point at the _same_ interface are not a 
#problem). This is almost certainly the case if you use proxyarp 
#and may show up in other network setups as well.  It's probably
#not a good idea to enable this if you have any non-default 
#routes where packets go out one interface and come back on 
#another (_default_ routes like this are ok).
# Default: NO if there are overlapping routes, YES if there aren't.
#SPOOFBLOCKS="YES"

#Future: allow non-verbose operation?  Not used as of 0.13.0.
# Default: YES
#VERBOSE="YES"

#Not tested yet, but give it a try if you want all packets 
#from blocked protocols or hosts to be logged.  You should not
#enable this during the learning process - wait until after.
#LOGBLOCKS="-l"

#POISONPROTOCOLS=""	#treat these as blockedhost machines from now on and append 
#to masonrc as BLOCKEDHOSTS... :-)  Hmmm.... 

##SYSTEMRULEFILE="${MASONDIR}systemrules"


#-----------------------------------------------------------
# Deprecated
#-----------------------------------------------------------
##Note - NAMECACHE support has been disabled.
##THIS SECTION WILL BE DELETED.
##NAMECACHE _could_ be /etc/hosts, but this was really intended to be a
##local cache for Mason only.  This really should be in some directory like
##/var/lib/mason.
##NAMECACHE="${MASONDIR}morehosts"

##Note - Mason no longer supports additional services files.  You need to 
##make sure /etc/services holds all your protocols.
##THIS SECTION WILL BE DELETED.
##These files, in /etc/services format, hold additional ports that may 
##not be defined in the stock /etc/services.  If you would prefer to 
##use just the services in your own /etc/services, uncomment the 
##first line.  Your /etc/services entries always take precedence over 
##any entries in moreservices.  If you choose not to use the moreservices 
##file, make _sure_ your /etc/services has _all_ the protocols you might 
##use.  ssh, portmapper, nfs, and nfs mount services are especially 
##crucial.  Default is just /etc/services.
##SERVICES="/etc/services"
##SERVICES="/etc/services ${MASONDIR}nmap-services ${MASONDIR}moreservices"

##Obsoleted - do not use any more.  If you have made any manual changes to
##this file, please transfer the contents to the NETWORKS variable below.
##NETCACHE="${MASONDIR}netconvert"


#Copyleft:
#    Mason interactively creates a Linux packet filtering firewall.
#    Copyright (C) 1998-2000 William Stearns <wstearns@pobox.com>
#
#    This program is free software; you can redistribute it and/or modify
#    it under the terms of the GNU General Public License as published by
#    the Free Software Foundation; either version 2 of the License, or
#    (at your option) any later version.
#
#    This program is distributed in the hope that it will be useful,
#    but WITHOUT ANY WARRANTY; without even the implied warranty of
#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#    GNU General Public License for more details.
#
#    You should have received a copy of the GNU General Public License
#    along with this program; if not, write to the Free Software
#    Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
#
#    The author can also be reached at:
#        William Stearns
#email:  wstearns@pobox.com              (preferred)
#web:    http://www.stearns.org/mason/
#snail:  6 Manchester Dr.
#        Lebanon NH, 03766