I have started receiving a rather "interesting" security alert (it happened twice in the last 24 hours or so) in the audit logs from my tun0 device. It is about a packet destined out to a well-known (and authorised) host and port, but with the packet class security-marked as "unlabelled" (unlabeled_t security type to be precise). This is baffling not least because I have a "catch-all" statement in my secmark file like this:
system_u:object_r:unauthorised_packet_t:s0 O:N ... SAVE O:N RESTORE O:ER This is properly translated by shorewall to: -A tcout -m conntrack --ctstate NEW -j SECMARK --selctx system_u:object_r:unauthorised_packet_t:s0 -A tcout -m conntrack --ctstate NEW -j CONNSECMARK --save -A tcout -m conntrack --ctstate ESTABLISHED,RELATED -j CONNSECMARK --restore Now, the security alert I am getting I suspect is happening when the connection closes (syscall=close in that security alert), so what could be the reason that my catch-all above slips this packet through without marking it and how can I avoid this? Could it be that the packet is "invalid" or is there another reason for this? ------------------------------------------------------------------------------ Simplify data backup and recovery for your virtual environment with vRanger. Installation's a snap, and flexible recovery options mean your data is safe, secure and there when you need it. Data protection magic? Nope - It's vRanger. Get your free trial download today. http://p.sf.net/sfu/quest-sfdev2dev _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
