1SHOREWALL-SECMARKS(5) Configuration Files SHOREWALL-SECMARKS(5)
2
6 secmarks - Shorewall file
7
9 /etc/shorewall[6]/secmarks
10
12 Important
13 Unlike rules in the shorewall-rules[1](5) file, evaluation of rules
14 in this file will continue after a match. So the final secmark for
15 each packet will be the one assigned by the LAST rule that matches.
16 The secmarks file is used to associate an SELinux context with packets.
18 It was added in Shorewall version 4.4.13.
19 The columns in the file are as follows (where the column name is
21 followed by a different name in parentheses, the different name is used
22 in the alternate specification syntax).
23 SECMARK - {SAVE|RESTORE|context|?COMMENT comment}
25 SAVE
27 If an SELinux context is associated with the packet, the
28 context is saved in the connection. Normally, the remaining
29 columns should be left blank.
30 RESTORE
32 If an SELinux context is not currently associated with the
33 packet, then the saved context (if any) is associated with the
34 packet. Normally, the remaining columns should be left blank.
35 context
37 An SELinux context.
38 ?COMMENT
40 The remainder of the line is treated as a comment which is
41 attached to subsequent rules until another ?COMMENT line is
42 found or until the end of the file is reached. To stop adding
43 comments to rules, use a line with only the word ?COMMENT.
44 CHAIN - {P|I|F|O|T}[:{N|I|U|IU|NI|NU|NIU|NUI:E|ER}]
46 This column determines the CHAIN where the SELinux context is to be
47 applied:
48 P - PREROUTING
49 I - INPUT
50 F - FORWARD
51 O - OUTPUT
52 T - POSTROUTING
53 It may be optionally followed by a colon and an indication of the
54 Netfilter connection state(s) at which the context is to be
55 applied:
56 :N - NEW connection
57 :I - INVALID connection
58 :NI - NEW or INVALID connection
59 :E - ESTABLISHED connection
60 :ER - ESTABLISHED or RELATED connection
61 Beginning with Shorewall 4.5.10, the following additional options
62 are available
63 :U - UNTRACKED connection
64 :IU - INVALID or UNTRACKED connection
65 :NU - NEW or UNTRACKED connection
66 :NIU - NEW, INVALID or UNTRACKED connection.
67 This column was formerly labelled CHAIN:STATE.
68 SOURCE -
70 {-interface|[interface:]address-or-range[,address-or-range]...}[exclusion]
71 May be:
72 1. An interface name - matches traffic entering the firewall on
74 the specified interface. May not be used in classify rules or
75 in rules using the T in the CHAIN column.
76 2. A comma-separated list of host or network IP addresses or MAC
78 addresses.
79 3. An interface name followed by a colon (":") followed by a
81 comma-separated list of host or network IP addresses or MAC
82 addresses.
83 MAC addresses must be prefixed with "~" and use "-" as a separator.
85 Example: ~00-A0-C9-15-39-78
87 You may exclude certain hosts from the set already defined through
89 use of an exclusion (see shorewall-exclusion[2](5)).
90 Addresses may be specified using an ipset name preceded by '+'.
92 DEST -
94 {-|{interface|[interface:]address-or-range[,address-or-range]...}[exclusion]
95 May be:
96 1. An interface name. May not be used in the PREROUTING or INPUT
98 chains. The interface name may be optionally followed by a
99 colon (":") and an IP address list.
100 2. A comma-separated list of host or network IP addresses. The
102 list may include ip address ranges if your kernel and iptables
103 include iprange support.
104 You may exclude certain hosts from the set already defined through
106 use of an exclusion (see shorewall-exclusion[2](5)).
107 Addresses may be specified using an ipset name preceded by '+'.
109 PROTO -
111 {-|tcp:syn|ipp2p|ipp2p:udp|ipp2p:all|protocol-number|protocol-name|all}[,...]
112 See shorewall-rules(5)[3] for details.
113 Beginning with Shorewall 4.5.12, this column can accept a
115 comma-separated list of protocols.
116 DPORT - [-|port-name-number-or-range[,port-name-number-or-range]...]
118 Optional destination Ports. A comma-separated list of Port names
119 (from services(5)), port numbers or port ranges; if the protocol is
120 icmp, this column is interpreted as the destination icmp-type(s).
121 ICMP types may be specified as a numeric type, a numeric type and
122 code separated by a slash (e.g., 3/4), or a typename. See
123 http://www.shorewall.net/configuration_file_basics.htm#ICMP[4].
124 If the protocol is ipp2p, this column is interpreted as an ipp2p
126 option without the leading "--" (example bit for bit-torrent). If
127 no PORT is given, ipp2p is assumed.
128 This column is ignored if PROTOCOL = all but must be entered if any
130 of the following field is supplied. In that case, it is suggested
131 that this field contain "-"
132 This column was formerly labelled DEST PORT(S).
134 SPORT - [-|port-name-number-or-range[,port-name-number-or-range]...]
136 Optional source port(s). If omitted, any source port is acceptable.
137 Specified as a comma-separated list of port names, port numbers or
138 port ranges.
139 This column was formerly labelled SOURCE PORT(S).
141 USER - [!][user-name-or-number][:group-name-or-number]
143 This optional column may only be non-empty if the SOURCE is the
144 firewall itself.
145 When this column is non-empty, the rule applies only if the program
147 generating the output is running under the effective user and/or
148 group specified (or is NOT running under that id if "!" is given).
149 Examples:
151 joe
153 program must be run by joe
154 :kids
156 program must be run by a member of the 'kids' group
157 !:kids
159 program must not be run by a member of the 'kids' group
160 MARK - [!]value[/mask][:C]
162 Defines a test on the existing packet or connection mark. The rule
163 will match only if the test returns true.
164 If you don't want to define a test but need to specify anything in
166 the following columns, place a "-" in this field.
167 !
169 Inverts the test (not equal)
170 value
172 Value of the packet or connection mark.
173 mask
175 A mask to be applied to the mark before testing.
176 :C
178 Designates a connection mark. If omitted, the packet mark's
179 value is tested.
180
182 Mark the first incoming packet of a connection on the loopback
183 interface and destined for address 127.0.0.1 and tcp port 3306 with
184 context system_u:object_r:mysqld_t:s0 and save that context in the
185 conntrack table. On subsequent input packets in the connection, set the
186 context from the conntrack table.
187 /etc/shorewall/interfaces:
189 #ZONE INTERFACE BROADCAST OPTIONS
191 - lo - ignore
192 /etc/shorewall/secmarks:
194 #SECMARK CHAIN SOURCE DEST PROTO DPORT SPORT USER MARK
196 system_u:object_r:mysqld_packet_t:s0 I:N lo 127.0.0.1 tcp 3306
197 SAVE I:N lo 127.0.0.1 tcp 3306
198 RESTORE I:ER
199
201 /etc/shorewall/secmarks
202 /etc/shorewall6/secmarks
204
206 http://james-morris.livejournal.com/11010.html
207 http://www.shorewall.net/configuration_file_basics.htm#Pairs[5]
209 shorewall(8)
211
213 1. shorewall-rules
214 http://www.shorewall.net/manpages/shorewall-rules.html
215 2. shorewall-exclusion
217 http://www.shorewall.net/manpages/shorewall-exclusion.html
218 3. shorewall-rules(5)
220 http://www.shorewall.netshorewall-rules.html
221 4. http://www.shorewall.net/configuration_file_basics.htm#ICMP
223 http://www.shorewall.net/configuration_file_basics.htm#ICMP
224 5. http://www.shorewall.net/configuration_file_basics.htm#Pairs
226 http://www.shorewall.net/configuration_file_basics.htm#Pairs
227Configuration Files 08/05/2018 SHOREWALL-SECMARKS(5)