On 9/6/10 6:38 AM, Mr Dash Four wrote: > >> Shorewall does not currently support the SECMARK and CONNSECMARK targets. >> > A few quick observations and queries. I have successfully tested a > straight-forward SECMARKs setup (labelling my sshd, mysqld and openvpn > traffic) without a glitch. > > I am now in a position to start testing more complex setups, though I > ran into a bit of difficulty. > > For example - I want to label traffic, which is initiated by a specific > process and starts from an arbitrary random high port and is also > destined to an arbitrary random high port on a network (not a specific > IP address). In my rules file I restricted such traffic by User ID/Group > ID and that did the job as this process runs in confined environment > under the restrictions of UID/GID (and SELinux). > > As it stands though, the secmarks file won't allow me to use this > approach and add User ID/Group ID as I am able to with my rules file. > Would that be possible - could this be added as an option? If not, any > advice as to how to label such traffic (add a specific chain perhaps?) > would be welcome.
Your requirements were incompletely given then. I'll send you another RPM privately that will include that support. > > A question may be related to the above - the purpose of CONNSECMARK is > to 'save' a packet mark to a specific connection (normally used when a > connection is setup) or 'restore' a connection label to a packet > (normally for all subsequent packets on that connection), though I am > not entirely sure how would I use this with the SAVE and RESTORE > commands and to which chains I should apply those. Please look at the example in the manpage from the updated RPM; hopefully, it will make this clearer. You might also consult the SELinux documentation about how to use the CONNSECMARK target. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ This SF.net Dev2Dev email is sponsored by: Show off your parallel programming skills. Enter the Intel(R) Threading Challenge 2010. http://p.sf.net/sfu/intel-thread-sfd
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
