> Shorewall does not currently support the SECMARK and CONNSECMARK targets. > A few quick observations and queries. I have successfully tested a straight-forward SECMARKs setup (labelling my sshd, mysqld and openvpn traffic) without a glitch.
I am now in a position to start testing more complex setups, though I ran into a bit of difficulty. For example - I want to label traffic, which is initiated by a specific process and starts from an arbitrary random high port and is also destined to an arbitrary random high port on a network (not a specific IP address). In my rules file I restricted such traffic by User ID/Group ID and that did the job as this process runs in confined environment under the restrictions of UID/GID (and SELinux). As it stands though, the secmarks file won't allow me to use this approach and add User ID/Group ID as I am able to with my rules file. Would that be possible - could this be added as an option? If not, any advice as to how to label such traffic (add a specific chain perhaps?) would be welcome. A question may be related to the above - the purpose of CONNSECMARK is to 'save' a packet mark to a specific connection (normally used when a connection is setup) or 'restore' a connection label to a packet (normally for all subsequent packets on that connection), though I am not entirely sure how would I use this with the SAVE and RESTORE commands and to which chains I should apply those. ------------------------------------------------------------------------------ This SF.net Dev2Dev email is sponsored by: Show off your parallel programming skills. Enter the Intel(R) Threading Challenge 2010. http://p.sf.net/sfu/intel-thread-sfd _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
