1SHOREWALL6-SECMARKS(5) [FIXME: manual] SHOREWALL6-SECMARKS(5)
2
6 secmarks - Shorewall6 file
7
9 /etc/shorewall6/secmarks
10
12 Important
13 Unlike rules in the shorewall6-rules[1](5) file, evaluation of
14 rules in this file will continue after a match. So the final
15 secmark for each packet will be the one assigned by the LAST rule
16 that matches.
17 The secmarks file is used to associate an SELinux context with packets.
19 It was added in Shorewall6 version 4.4.13.
20 The columns in the file are as follows.
22 SECMARK - {SAVE|RESTORE|context|COMMENT comment}
24 SAVE
26 If an SELinux context is associated with the packet, the
27 context is saved in the connection. Normally, the remaining
28 columns should be left blank.
29 RESTORE
31 If an SELinux context is not currently associated with the
32 packet, then the saved context (if any) is associated with the
33 packet. Normally, the remaining columns should be left blank.
34 context
36 An SELinux context.
37 COMMENT
39 The remainder of the line is treated as a comment which is
40 attached to subsequent rules until another COMMENT line is
41 found or until the end of the file is reached. To stop adding
42 comments to rules, use a line with only the word COMMENT.
43 CHAIN - {P|I|F|O|T}[:{N|I|NI|E|ER}]
45 P - PREROUTING
46 I - INPUT
47 F - FORWARD
48 O - OUTPUT
49 T - POSTROUTING
50 It may be optionally followed by a colon and an indication of the
51 Netfilter connection state(s) at which the context is to be
52 applied:
53 :N - NEW connection
54 :I - INVALID connection
55 :NI - New or INVALID connection
56 :E - ESTABLISHED connection
57 :ER - ESTABLISHED or RELATED connection
58 SOURCE -
60 {-interface|[interface:]address-or-range[,address-or-range]...}[exclusion]
61 May be:
62 1. An interface name - matches traffic entering the firewall on
64 the specified interface. May not be used in classify rules or
65 in rules using the T in the CHAIN column.
66 2. A comma-separated list of host or network IP addresses or MAC
68 addresses.
69 3. An interface name followed by a colon (":") followed by a
71 comma-separated list of host or network IP addresses or MAC
72 addresses.
73 MAC addresses must be prefixed with "~" and use "-" as a separator.
75 Example: ~00-A0-C9-15-39-78
77 You may exclude certain hosts from the set already defined through
79 use of an exclusion (see shorewall6-exclusion[2](5)).
80 DEST -
82 {-|{interface|[interface:]address-or-range[,address-or-range]...}[exclusion]
83 May be:
84 1. An interface name. May not be used in the PREROUTING or INPUT
86 chains. The interface name may be optionally followed by a
87 colon (":") and an IP address list.
88 2. A comma-separated list of host or network IP addresses. The
90 list may include ip address ranges if your kernel and iptables
91 include iprange support.
92 You may exclude certain hosts from the set already defined through
94 use of an exclusion (see shorewall6-exclusion[3](5)).
95 PROTO -
97 {-|tcp:syn|ipp2p|ipp2p:udp|ipp2p:all|protocol-number|protocol-name|all}
98 Protocol - ipp2p requires ipp2p match support in your kernel and
99 iptables.
100 PORT(S) (Optional) -
102 [-|port-name-number-or-range[,port-name-number-or-range]...]
103 Destination Ports. A comma-separated list of Port names (from
104 services(5)), port numbers or port ranges; if the protocol is icmp,
105 this column is interpreted as the destination icmp-type(s). ICMP
106 types may be specified as a numeric type, a numberic type and code
107 separated by a slash (e.g., 3/4), or a typename. See
108 http://www.shorewall.net/configuration_file_basics.htm#ICMP.
109 If the protocol is ipp2p, this column is interpreted as an ipp2p
111 option without the leading "--" (example bit for bit-torrent). If
112 no PORT is given, ipp2p is assumed.
113 This column is ignored if PROTOCOL = all but must be entered if any
115 of the following field is supplied. In that case, it is suggested
116 that this field contain "-"
117 SOURCE PORT(S) (Optional) -
119 [-|port-name-number-or-range[,port-name-number-or-range]...]
120 Source port(s). If omitted, any source port is acceptable.
121 Specified as a comma-separated list of port names, port numbers or
122 port ranges.
123 USER (Optional) - [!][user-name-or-number][:group-name-or-number]
125 This column may only be non-empty if the SOURCE is the firewall
126 itself.
127 When this column is non-empty, the rule applies only if the program
129 generating the output is running under the effective user and/or
130 group specified (or is NOT running under that id if "!" is given).
131 Examples:
133 joe
135 program must be run by joe
136 :kids
138 program must be run by a member of the 'kids' group
139 !:kids
141 program must not be run by a member of the 'kids' group
142 MARK - [!]value[/mask][:C]
144 Defines a test on the existing packet or connection mark. The rule
145 will match only if the test returns true.
146 If you don't want to define a test but need to specify anything in
148 the following columns, place a "-" in this field.
149 !
151 Inverts the test (not equal)
152 value
154 Value of the packet or connection mark.
155 mask
157 A mask to be applied to the mark before testing.
158 :C
160 Designates a connection mark. If omitted, the packet mark's
161 value is tested.
162
164 Mark the first incoming packet of a connection on the loopback
165 interface and destined for address ::1 and tcp port 3306 with context
166 system_u:object_r:mysqld_t:s0 and save that context in the conntrack
167 table. On subsequent input packets in the connection, set the context
168 from the conntrack table.
169 /etc/shorewall6/interfaces:
171 #ZONE INTERFACE BROADCAST OPTIONS
173 - lo - ignore
174 /etc/shorewall6/secmarks:
176 #SECMARK CHAIN: SOURCE DEST PROTO DEST SOURCE USER/ MARK
178 # STATE PORT(S) PORT(S) GROUP
179 system_u:object_r:mysqld_packet_t:s0 I:N lo ::1 tcp 3306
180 SAVE I:N
181 RESTORE I:ER
182
184 /etc/shorewall6/secmarks
185
187 http://james-morris.livejournal.com/11010.html
188 shorewall6(8), shorewall6-actions(5), shorewall6-blacklist(5),
190 shorewall6-hosts(5), shorewall6-interfaces(5), shorewall6-maclist(5),
191 shorewall6-params(5), shorewall6-policy(5), shorewall6-providers(5),
192 shorewall6-route_rules(5), shorewall6-routestopped(5),
193 shorewall6-rules(5), shorewall6.conf(5), shorewall6-tcclasses(5),
194 shorewall6-tcdevices(5), shorewall6-tcrules(5), shorewall6-tos(5),
195 shorewall6-tunnels(5), shorewall6-zones(5)
196
198 1. shorewall6-rules
199 http://www.shorewall.net/manpages6/shorewall6-rules.html
200 2. shorewall6-exclusion
202 http://www.shorewall.net/manpages6/shorewall6-exclusion.html
203 3. shorewall6-exclusion
205 http://www.shorewall.net/manpages6/shorewall-exclusion.html
206[FIXME: source] 09/16/2011 SHOREWALL6-SECMARKS(5)