On 06/02/2011 07:55 AM, Mr Dash Four wrote: > I have started receiving a rather "interesting" security alert (it > happened twice in the last 24 hours or so) in the audit logs from my > tun0 device. It is about a packet destined out to a well-known (and > authorised) host and port, but with the packet class security-marked as > "unlabelled" (unlabeled_t security type to be precise). This is baffling > not least because I have a "catch-all" statement in my secmark file like > this: > > system_u:object_r:unauthorised_packet_t:s0 O:N > ... > SAVE O:N > RESTORE O:ER > > This is properly translated by shorewall to: > > -A tcout -m conntrack --ctstate NEW -j SECMARK --selctx > system_u:object_r:unauthorised_packet_t:s0 > -A tcout -m conntrack --ctstate NEW -j CONNSECMARK --save > -A tcout -m conntrack --ctstate ESTABLISHED,RELATED -j CONNSECMARK --restore > > Now, the security alert I am getting I suspect is happening when the > connection closes (syscall=close in that security alert), so what could > be the reason that my catch-all above slips this packet through without > marking it and how can I avoid this? Could it be that the packet is > "invalid" or is there another reason for this?
The attached (untested) patch implements an 'NI' suffix. See if that corrects the problem. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
diff --git a/Shorewall/Perl/Shorewall/Tc.pm b/Shorewall/Perl/Shorewall/Tc.pm
index bd441fe..88c61ca 100644
--- a/Shorewall/Perl/Shorewall/Tc.pm
+++ b/Shorewall/Perl/Shorewall/Tc.pm
@@ -1604,8 +1604,10 @@ sub process_secmark_rule() {
O => 'tcout' , );
my %state = ( N => 'NEW' ,
+ NI => 'NEW,INVALID',
E => 'ESTABLISHED' ,
- ER => 'ESTABLISHED,RELATED' );
+ ER => 'ESTABLISHED,RELATED',
+ );
my ( $chain , $state, $rest) = split ':', $chainin , 3;
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Simplify data backup and recovery for your virtual environment with vRanger. Installation's a snap, and flexible recovery options mean your data is safe, secure and there when you need it. Discover what all the cheering's about. Get your free trial download today. http://p.sf.net/sfu/quest-dev2dev2
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
