mason 1.0.0-12.3 / usr / share / doc / mason / mason-5.html

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<HTML>
<HEAD>
 <META NAME="GENERATOR" CONTENT="SGML-Tools 1.0.9">
 <TITLE>The Mason HOWTO: Configuring Mason</TITLE>
 <LINK HREF="mason-6.html" REL=next>
 <LINK HREF="mason-4.html" REL=previous>
 <LINK HREF="mason.html#toc5" REL=contents>
</HEAD>
<BODY>
<A HREF="mason-6.html"><IMG SRC="next.gif" ALT="Next"></A>
<A HREF="mason-4.html"><IMG SRC="prev.gif" ALT="Previous"></A>
<A HREF="mason.html#toc5"><IMG SRC="toc.gif" ALT="Contents"></A>
<HR>
<H2><A NAME="s5">5. Configuring Mason</A></H2>

<P>     Most of the configuration is set via environment variables.  For
permanent changes, try 
<HR>
<PRE>
export VARIABLE=value
</PRE>
<HR>
<P>For one time settings, just put the variables on the command line just
before calling the program.  For example:
<HR>
<PRE>
tail -f --lines=0 /var/log/messages | ECHOCOMMAND=ipchains mason
</PRE>
<HR>
<P>If you set a variable both on the command line and in /etc/masonrc, 
be warned that /etc/masonrc wins.
<P>
<UL>
<LI>ECHOCOMMAND=ipchains|ipfwadm|none #Autodetected if unset or invalid

<P>     Which kind of command should Mason display?  This does _not_
have to match the firewalling in the current kernel; this lets you
create an ipfwadm firewall ruleset on an ipchains kernel and vice-versa. 
(Remember that iptables can't take part in this cross-creation.)
<P>The following two commands will spit out an ipfwadm firewall and
an ipchains firewall, respectively, from the same input:
cat /var/log/messages | grep ' L=' | ECHOCOMMAND=ipfwadm mason >ipfwadm-wall
cat /var/log/messages | grep ' L=' | ECHOCOMMAND=ipchains mason >ipchains-wall
<P>Both kinds of firewall log entries have L= in them; this is a
reasonably good filter to keep Mason from having to process _all_ the junk
entries.
<P>
</LI>
<LI>DOCOMMAND=ipchains|ipfwadm|none  #Autodetected if unset or invalid

<P>     Which kind of command should Mason run to prevent that type of
traffic from being logged in the future?  Set to none if you're processing
the log entries later, or on another machine.
<P>Unless you're forcing it to "none", probably best to let Mason
autodetect.
<P>
</LI>
<LI>HEARTBEAT=yes|no

If yes, mason displays a "." or "-" when it processes an input
line that has been handled by one of the recently implemented rules.  The
heartbeat character is sent to stderr so it doesn't screw up logging to a
file or piping to some other program.
</LI>
<LI>DYNIF="ppp0 sl0"

If your machine has interfaces whose entries change IP address,
put the interface name(s) in quotes, separated by spaces.  Mason will
handle these interfaces specially by handing you a line that will
assign that interfaces IP address to an environment variable when
executed, and uses that variable throughout the ruleset.

If your Ethernet IP address is assigned via DHCP, BOOTP, or RARP,
_and_ _changes_ from time to time, you might even want to put your
Ethernet interface name(s) in the list.  If the addresses are assigned via
one of those tools, but _never_ _change_ (those protocols are supposed to
try to give you the same address you had last time if at all possible),
don't put the Ethernet interface(s) in there.

Make sure you re-run your firewall ruleset (or at least the rules
with dynamic IP entries) when the address changes.  For ppp interfaces,
restart your firewall inside /etc/ppp/ip-up.  I think DHCP has a similar
ability to run commands when the address changes; consult the DHCP
documentation.
</LI>
</UL>
<P>The main documentation for all the configurable fields is 
conveniently in /etc/masonrc .
<P>
<HR>
<A HREF="mason-6.html"><IMG SRC="next.gif" ALT="Next"></A>
<A HREF="mason-4.html"><IMG SRC="prev.gif" ALT="Previous"></A>
<A HREF="mason.html#toc5"><IMG SRC="toc.gif" ALT="Contents"></A>
</BODY>
</HTML>