1SHOREWALL-SECMARKS(5)         Configuration Files        SHOREWALL-SECMARKS(5)
2
3
4

NAME

6       secmarks - Shorewall file
7

SYNOPSIS

9       /etc/shorewall[6]/secmarks
10

DESCRIPTION

12           Important
13           Unlike rules in the shorewall-rules[1](5) file, evaluation of rules
14           in this file will continue after a match. So the final secmark for
15           each packet will be the one assigned by the LAST rule that matches.
16
17       The secmarks file is used to associate an SELinux context with packets.
18       It was added in Shorewall version 4.4.13.
19
20       The columns in the file are as follows (where the column name is
21       followed by a different name in parentheses, the different name is used
22       in the alternate specification syntax).
23
24       SECMARK - {SAVE|RESTORE|context|?COMMENT comment}
25
26           SAVE
27               If an SELinux context is associated with the packet, the
28               context is saved in the connection. Normally, the remaining
29               columns should be left blank.
30
31           RESTORE
32               If an SELinux context is not currently associated with the
33               packet, then the saved context (if any) is associated with the
34               packet. Normally, the remaining columns should be left blank.
35
36           context
37               An SELinux context.
38
39           ?COMMENT
40               The remainder of the line is treated as a comment which is
41               attached to subsequent rules until another ?COMMENT line is
42               found or until the end of the file is reached. To stop adding
43               comments to rules, use a line with only the word ?COMMENT.
44
45       CHAIN - {P|I|F|O|T}[:{N|I|U|IU|NI|NU|NIU|NUI:E|ER}]
46           This column determines the CHAIN where the SELinux context is to be
47           applied:
48               P - PREROUTING
49               I - INPUT
50               F - FORWARD
51               O - OUTPUT
52               T - POSTROUTING
53           It may be optionally followed by a colon and an indication of the
54           Netfilter connection state(s) at which the context is to be
55           applied:
56               :N - NEW connection
57               :I - INVALID connection
58               :NI - NEW or INVALID connection
59               :E - ESTABLISHED connection
60               :ER - ESTABLISHED or RELATED connection
61           Beginning with Shorewall 4.5.10, the following additional options
62           are available
63               :U - UNTRACKED connection
64               :IU - INVALID or UNTRACKED connection
65               :NU - NEW or UNTRACKED connection
66               :NIU - NEW, INVALID or UNTRACKED connection.
67           This column was formerly labelled CHAIN:STATE.
68
69       SOURCE -
70       {-interface|[interface:]address-or-range[,address-or-range]...}[exclusion]
71           May be:
72
73            1. An interface name - matches traffic entering the firewall on
74               the specified interface. May not be used in classify rules or
75               in rules using the T in the CHAIN column.
76
77            2. A comma-separated list of host or network IP addresses or MAC
78               addresses.
79
80            3. An interface name followed by a colon (":") followed by a
81               comma-separated list of host or network IP addresses or MAC
82               addresses.
83
84           MAC addresses must be prefixed with "~" and use "-" as a separator.
85
86           Example: ~00-A0-C9-15-39-78
87
88           You may exclude certain hosts from the set already defined through
89           use of an exclusion (see shorewall-exclusion[2](5)).
90
91           Addresses may be specified using an ipset name preceded by '+'.
92
93       DEST -
94       {-|{interface|[interface:]address-or-range[,address-or-range]...}[exclusion]
95           May be:
96
97            1. An interface name. May not be used in the PREROUTING or INPUT
98               chains. The interface name may be optionally followed by a
99               colon (":") and an IP address list.
100
101            2. A comma-separated list of host or network IP addresses. The
102               list may include ip address ranges if your kernel and iptables
103               include iprange support.
104
105           You may exclude certain hosts from the set already defined through
106           use of an exclusion (see shorewall-exclusion[2](5)).
107
108           Addresses may be specified using an ipset name preceded by '+'.
109
110       PROTO -
111       {-|tcp:syn|ipp2p|ipp2p:udp|ipp2p:all|protocol-number|protocol-name|all}[,...]
112           See shorewall-rules(5)[1] for details.
113
114           Beginning with Shorewall 4.5.12, this column can accept a
115           comma-separated list of protocols.
116
117       DPORT - [-|port-name-number-or-range[,port-name-number-or-range]...]
118           Optional destination Ports. A comma-separated list of Port names
119           (from services(5)), port numbers or port ranges; if the protocol is
120           icmp, this column is interpreted as the destination icmp-type(s).
121           ICMP types may be specified as a numeric type, a numeric type and
122           code separated by a slash (e.g., 3/4), or a typename. See
123           https://shorewall.org/configuration_file_basics.htm#ICMP[3].
124
125           If the protocol is ipp2p, this column is interpreted as an ipp2p
126           option without the leading "--" (example bit for bit-torrent). If
127           no PORT is given, ipp2p is assumed.
128
129           This column is ignored if PROTOCOL = all but must be entered if any
130           of the following field is supplied. In that case, it is suggested
131           that this field contain "-"
132
133           This column was formerly labelled DEST PORT(S).
134
135       SPORT - [-|port-name-number-or-range[,port-name-number-or-range]...]
136           Optional source port(s). If omitted, any source port is acceptable.
137           Specified as a comma-separated list of port names, port numbers or
138           port ranges.
139
140           This column was formerly labelled SOURCE PORT(S).
141
142       USER - [!][user-name-or-number][:group-name-or-number]
143           This optional column may only be non-empty if the SOURCE is the
144           firewall itself.
145
146           When this column is non-empty, the rule applies only if the program
147           generating the output is running under the effective user and/or
148           group specified (or is NOT running under that id if "!" is given).
149
150           Examples:
151
152           joe
153               program must be run by joe
154
155           :kids
156               program must be run by a member of the 'kids' group
157
158           !:kids
159               program must not be run by a member of the 'kids' group
160
161       MARK - [!]value[/mask][:C]
162           Defines a test on the existing packet or connection mark. The rule
163           will match only if the test returns true.
164
165           If you don't want to define a test but need to specify anything in
166           the following columns, place a "-" in this field.
167
168           !
169               Inverts the test (not equal)
170
171           value
172               Value of the packet or connection mark.
173
174           mask
175               A mask to be applied to the mark before testing.
176
177           :C
178               Designates a connection mark. If omitted, the packet mark's
179               value is tested.
180

EXAMPLE

182       Mark the first incoming packet of a connection on the loopback
183       interface and destined for address 127.0.0.1 and tcp port 3306 with
184       context system_u:object_r:mysqld_t:s0 and save that context in the
185       conntrack table. On subsequent input packets in the connection, set the
186       context from the conntrack table.
187
188       /etc/shorewall/interfaces:
189
190           #ZONE      INTERFACE      BROADCAST       OPTIONS
191           -          lo             -               ignore
192
193       /etc/shorewall/secmarks:
194
195           #SECMARK                              CHAIN      SOURCE  DEST       PROTO   DPORT      SPORT       USER      MARK
196           system_u:object_r:mysqld_packet_t:s0  I:N        lo      127.0.0.1  tcp     3306
197           SAVE                                  I:N        lo      127.0.0.1  tcp     3306
198           RESTORE                               I:ER
199

FILES

201       /etc/shorewall/secmarks
202
203       /etc/shorewall6/secmarks
204

SEE ALSO

206       http://james-morris.livejournal.com/11010.html
207
208       https://shorewall.org/configuration_file_basics.htm#Pairs[4]
209
210       shorewall(8)
211

NOTES

213        1. shorewall-rules
214           https://shorewall.org/manpages/shorewall-rules.html
215
216        2. shorewall-exclusion
217           https://shorewall.org/manpages/shorewall-exclusion.html
218
219        3. https://shorewall.org/configuration_file_basics.htm#ICMP
220           https://shorewall.org/configuration_file_basics.htm#ICMP
221
222        4. https://shorewall.org/configuration_file_basics.htm#Pairs
223           https://shorewall.org/configuration_file_basics.htm#Pairs
224
225
226
227Configuration Files               09/24/2020             SHOREWALL-SECMARKS(5)
Impressum