{"id":4539,"date":"2022-12-20T18:08:59","date_gmt":"2022-12-20T21:08:59","guid":{"rendered":"http:\/\/lode.uno\/linux-man\/index.php\/2022\/12\/20\/shorewallsecmarks-man5\/"},"modified":"2022-12-20T18:08:59","modified_gmt":"2022-12-20T21:08:59","slug":"shorewallsecmarks-man5","status":"publish","type":"post","link":"https:\/\/lode.uno\/linux-man\/2022\/12\/20\/shorewallsecmarks-man5\/","title":{"rendered":"SHOREWALL−SECMARKS (man5)"},"content":{"rendered":"

SHOREWALL\u2212SECMARKS<\/h1>\n

NAME<\/a>
SYNOPSIS<\/a>
DESCRIPTION<\/a>
EXAMPLE<\/a>
FILES<\/a>
SEE ALSO<\/a>
NOTES<\/a> <\/p>\n

\n

NAME <\/a> <\/h2>\n

secmarks \u2212 Shorewall file<\/p>\n

SYNOPSIS <\/a> <\/h2>\n\n\n
<\/td>\n\n

\/etc\/shorewall[6]\/secmarks<\/b><\/p>\n<\/td>\n

 <\/td>\n<\/tr>\n<\/table>\n

DESCRIPTION <\/a> <\/h2>\n

Important<\/big><\/b>
Unlike rules in the shorewall\u2212rules<\/font><\/b> [1]<\/font><\/small> (5) file, evaluation of rules in this file will continue after a match. So the final secmark for each packet will be the one assigned by the LAST rule that matches.<\/font><\/p>\n

The secmarks file is used to associate an SELinux context with packets. It was added in Shorewall version 4.4.13.<\/font><\/p>\n

The columns in the file are as follows (where the column name is followed by a different name in parentheses, the different name is used in the alternate specification syntax).<\/font><\/p>\n

SECMARK \u2212 {SAVE|RESTORE|<\/b>context<\/i>|?COMMENT<\/b> comment<\/i>}<\/b><\/font><\/p>\n

SAVE<\/b><\/font><\/p>\n

If an SELinux context is associated with the packet, the context is saved in the connection. Normally, the remaining columns should be left blank.<\/font><\/p>\n

RESTORE<\/b><\/font><\/p>\n

If an SELinux context is not currently associated with the packet, then the saved context (if any) is associated with the packet. Normally, the remaining columns should be left blank.<\/font><\/p>\n

context<\/i><\/font><\/p>\n

An SELinux context.<\/font><\/p>\n

?COMMENT<\/font><\/p>\n

The remainder of the line is treated as a comment which is attached to subsequent rules until another ?COMMENT line is found or until the end of the file is reached. To stop adding comments to rules, use a line with only the word ?COMMENT.<\/font><\/p>\n

CHAIN \u2212 {P|I|F|O|T}[:{N|I|U|IU|NI|NU|NIU|NUI:E|ER}]<\/b><\/font><\/p>\n

This column determines the CHAIN where the SELinux context is to be applied:<\/font><\/p>\n

P \u2212 PREROUTING
I \u2212 INPUT
F \u2212 FORWARD
O \u2212 OUTPUT
T \u2212 POSTROUTING<\/font><\/p>\n

It may be optionally followed by a colon and an indication of the Netfilter connection state(s) at which the context is to be applied:<\/font><\/p>\n

:N \u2212 NEW connection
:I \u2212 INVALID connection
:NI \u2212 NEW or INVALID connection
:E \u2212 ESTABLISHED connection
:ER \u2212 ESTABLISHED or RELATED connection<\/font><\/p>\n

Beginning with Shorewall 4.5.10, the following additional options are available<\/font><\/p>\n

:U \u2212 UNTRACKED connection
:IU \u2212 INVALID or UNTRACKED connection
:NU \u2212 NEW or UNTRACKED connection
:NIU \u2212 NEW, INVALID or UNTRACKED connection.<\/font><\/p>\n

This column was formerly labelled CHAIN:STATE.<\/font><\/p>\n

SOURCE<\/b> \u2212 {\u2212<\/b>interface<\/i>|[interface<\/i>:]address\u2212or\u2212range<\/i>[,<\/b>address\u2212or\u2212range<\/i>]…}[exclusion<\/i>]<\/font><\/p>\n

May be:<\/font><\/p>\n

1. An interface name \u2212 matches traffic entering the firewall on the specified interface. May not be used in classify rules or in rules using the T in the CHAIN column.<\/font><\/p>\n

2. A comma\u2212separated list of host or network IP addresses or MAC addresses.<\/font><\/p>\n

3. An interface name followed by a colon (“:”) followed by a comma\u2212separated list of host or network IP addresses or MAC addresses.<\/font><\/p>\n

MAC addresses must be prefixed with “~” and use “\u2212” as a separator.<\/font><\/p>\n

Example: ~00\u2212A0\u2212C9\u221215\u221239\u221278<\/font><\/p>\n

You may exclude certain hosts from the set already defined through use of an exclusion<\/i> (see<\/font> shorewall\u2212exclusion<\/font><\/b> [2]<\/font><\/small> (5)).<\/font><\/p>\n

Addresses may be specified using an ipset name preceded by ‘+’.<\/font><\/p>\n

DEST<\/b> \u2212 {\u2212<\/b>|{interface<\/i>|[interface<\/i>:]address\u2212or\u2212range<\/i>[,<\/b>address\u2212or\u2212range<\/i>]…}[exclusion<\/i>]<\/font><\/p>\n

May be:<\/font><\/p>\n

1. An interface name. May not be used in the PREROUTING or INPUT chains. The interface name may be optionally followed by a colon (“:”) and an IP address list.<\/font><\/p>\n

2. A comma\u2212separated list of host or network IP addresses. The list may include ip address ranges if your kernel and iptables include iprange support.<\/font><\/p>\n

You may exclude certain hosts from the set already defined through use of an exclusion<\/i> (see<\/font> shorewall\u2212exclusion<\/font><\/b> [2]<\/font><\/small> (5)).<\/font><\/p>\n

Addresses may be specified using an ipset name preceded by ‘+’.<\/font><\/p>\n

PROTO<\/b> \u2212 {\u2212<\/b>|tcp:syn<\/b>|ipp2p<\/b>|ipp2p:udp<\/b>|ipp2p:all<\/b>|protocol\u2212number<\/i>|protocol\u2212name<\/i>|all}[,…]<\/b><\/font><\/p>\n

See<\/font> shorewall\u2212rules(5)<\/font><\/b> [1]<\/font><\/small> for details.<\/font><\/p>\n

Beginning with Shorewall 4.5.12, this column can accept a comma\u2212separated list of protocols.<\/font><\/p>\n

DPORT<\/b> \u2212 [\u2212<\/b>|port\u2212name\u2212number\u2212or\u2212range<\/i>[,<\/b>port\u2212name\u2212number\u2212or\u2212range<\/i>]…]<\/font><\/p>\n

Optional destination Ports. A comma\u2212separated list of Port names (from services(5)), port number<\/i>s or port range<\/i>s; if the protocol is icmp<\/b>, this column is interpreted as the destination icmp\u2212type(s). ICMP types may be specified as a numeric type, a numeric type and code separated by a slash (e.g., 3\/4), or a typename. See<\/font> https:\/\/shorewall.org\/configuration_file_basics.htm#ICMP<\/font><\/b> [3]<\/font><\/small> .<\/font><\/p>\n

If the protocol is ipp2p<\/b>, this column is interpreted as an ipp2p option without the leading “\u2212\u2212” (example bit<\/b> for bit\u2212torrent). If no PORT is given, ipp2p<\/b> is assumed.<\/font><\/p>\n

This column is ignored if PROTOCOL = all but must be entered if any of the following field is supplied. In that case, it is suggested that this field contain “\u2212”<\/font><\/p>\n

This column was formerly labelled DEST PORT(S).<\/font><\/p>\n

SPORT<\/b> \u2212 [\u2212<\/b>|port\u2212name\u2212number\u2212or\u2212range<\/i>[,<\/b>port\u2212name\u2212number\u2212or\u2212range<\/i>]…]<\/font><\/p>\n

Optional source port(s). If omitted, any source port is acceptable. Specified as a comma\u2212separated list of port names, port numbers or port ranges.<\/font><\/p>\n

This column was formerly labelled SOURCE PORT(S).<\/font><\/p>\n

USER<\/b> \u2212 [!<\/b>][user\u2212name\u2212or\u2212number<\/i>][:<\/b>group\u2212name\u2212or\u2212number<\/i>]<\/font><\/p>\n

This optional column may only be non\u2212empty if the SOURCE is the firewall itself.<\/font><\/p>\n

When this column is non\u2212empty, the rule applies only if the program generating the output is running under the effective user<\/i> and\/or group<\/i> specified (or is NOT running under that id if “!” is given).<\/font><\/p>\n

Examples:<\/font><\/p>\n

joe<\/font><\/p>\n

program must be run by joe<\/font><\/p>\n

:kids<\/font><\/p>\n

program must be run by a member of the ‘kids’ group<\/font><\/p>\n

!:kids<\/font><\/p>\n

program must not be run by a member of the ‘kids’ group<\/font><\/p>\n

MARK<\/b> \u2212 [!<\/b>]value<\/i>[\/mask<\/i>][:C<\/b>]<\/font><\/p>\n

Defines a test on the existing packet or connection mark. The rule will match only if the test returns true.<\/font><\/p>\n

If you don’t want to define a test but need to specify anything in the following columns, place a “\u2212” in this field.<\/font><\/p>\n

!<\/font><\/p>\n

Inverts the test (not equal)<\/font><\/p>\n

value<\/i><\/font><\/p>\n

Value of the packet or connection mark.<\/font><\/p>\n

mask<\/i><\/font><\/p>\n

A mask to be applied to the mark before testing.<\/font><\/p>\n

:C<\/b><\/font><\/p>\n

Designates a connection mark. If omitted, the packet mark’s value is tested.<\/font><\/p>\n

EXAMPLE <\/a> <\/h2>\n

Mark the first incoming packet of a connection on the loopback interface and destined for address 127.0.0.1 and tcp port 3306 with context system_u:object_r:mysqld_t:s0 and save that context in the conntrack table. On subsequent input packets in the connection, set the context from the conntrack table.<\/font><\/p>\n

\/etc\/shorewall\/interfaces:<\/font><\/p>\n

#ZONE INTERFACE BROADCAST OPTIONS
\u2212 lo \u2212 ignore<\/font><\/p>\n

\/etc\/shorewall\/secmarks:<\/font><\/p>\n

#SECMARK CHAIN SOURCE DEST PROTO DPORT SPORT USER MARK
system_u:object_r:mysqld_packet_t:s0 I:N lo 127.0.0.1 tcp 3306
SAVE I:N lo 127.0.0.1 tcp 3306
RESTORE I:ER<\/font><\/p>\n

FILES <\/a> <\/h2>\n

\/etc\/shorewall\/secmarks<\/font><\/p>\n

\/etc\/shorewall6\/secmarks<\/font><\/p>\n

SEE ALSO <\/a> <\/h2>\n

http:\/\/james\u2212morris.livejournal.com\/11010.html<\/font><\/b><\/p>\n

https:\/\/shorewall.org\/configuration_file_basics.htm#Pairs<\/font><\/b> [4]<\/font><\/small><\/p>\n

shorewall(8)<\/font><\/p>\n

NOTES <\/a> <\/h2>\n\n\n
<\/td>\n\n

1.<\/font><\/p>\n<\/td>\n

<\/td>\n\n

shorewall-rules<\/font><\/p>\n<\/td>\n

 <\/td>\n<\/tr>\n<\/table>\n

https:\/\/shorewall.org\/manpages\/shorewall-rules.html<\/font><\/p>\n\n\n
<\/td>\n\n

2.<\/font><\/p>\n<\/td>\n

<\/td>\n\n

shorewall-exclusion<\/font><\/p>\n<\/td>\n

 <\/td>\n<\/tr>\n<\/table>\n

https:\/\/shorewall.org\/manpages\/shorewall-exclusion.html<\/font><\/p>\n\n\n
<\/td>\n\n

3.<\/font><\/p>\n<\/td>\n

<\/td>\n\n

https:\/\/shorewall.org\/configuration_file_basics.htm#ICMP<\/font><\/p>\n<\/td>\n<\/tr>\n<\/table>\n

https:\/\/shorewall.org\/configuration_file_basics.htm#ICMP<\/font><\/p>\n\n\n
<\/td>\n\n

4.<\/font><\/p>\n<\/td>\n

<\/td>\n\n

https:\/\/shorewall.org\/configuration_file_basics.htm#Pairs<\/font><\/p>\n<\/td>\n<\/tr>\n<\/table>\n

https:\/\/shorewall.org\/configuration_file_basics.htm#Pairs<\/font><\/p>\n

\n","protected":false},"excerpt":{"rendered":"

secmarks \u2212 Shorewall file <\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[959],"tags":[961,1291,1499],"class_list":["post-4539","post","type-post","status-publish","format-standard","hentry","category-5-formatos-de-ficheros","tag-961","tag-man5","tag-shorewall-secmarks"],"gutentor_comment":0,"_links":{"self":[{"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/posts\/4539","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/comments?post=4539"}],"version-history":[{"count":0,"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/posts\/4539\/revisions"}],"wp:attachment":[{"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/media?parent=4539"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/categories?post=4539"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/tags?post=4539"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}