Working with MARKs

Costa Tsaousis edited this page Jul 27, 2017 · 20 revisions

FireHOL installation


Link Balancer - routing tables with inheritance, multiple balancing gateways, routing rules

FireHOL & iptables marks

FireHOL & ipsets

FireHOL & SYNPROXY (DDoS mitigation)

FireHOL with basic IDS - just with plain iptables and ipsets

Clone this wiki locally

Working with MARKs


MARKs allow marking traffic with an ID, so that the marked packets will carry a label or tag.

Once packets have been marked, the marking can be used to take decisions based on it:

  • Allow or deny access (in firehol)
  • classify packets for traffic shaping (in fireqos)
  • take routing decisions (in link-balancer)

Packets can only be marked with the mark firehol helper. Once the packets are marked, all tools provide a common set of optional rule parameters or match statements to make make decisions based on these marks.

Multiple Marks

The kernel supports only one mark per packet. Just one mark.

It allows however a mask to be given for each operation on this mark.

Using this masking mechanism, all FireHOL tools allow multiple MARKs to be set on each packet. So, a packet can have mark A for packet filtering, mark B for traffic shaping, mark C for routing and mark D for other special purposes.

The way this is implemented in FireHOL tools, marks A, B, C, D are completely isolated and independent. Each one can have its own value that does not interfere with the others in any way.

Furthermore, FireHOL tools allow you to customize these marks any way you like. You can add your mark types and configure their options.

What are these options:

  1. Each mark type has a minimum and a maximum value.

    Although MARKs are 32 bit numbers (0 to 4294967295), when we bitmask them we actually use a few of these bits for each mark type. We allocate a certain number of bits dedicated to each mark type.

    For example, for our 4 mark types A, B, C, D we could use 8 bits for each. This means each mark type will get a value from 0 to 255 and all 32 bits will be used. Or we could use 8 bits for A, B (values 0 - 255) and 4 bits for C and D (values 0 - 15). Or 10 bits for A (values 0 - 1023), 6 bits for B (values 0 - 63), 5 bits for C (values 0 - 31) and just 1 bit for D (values 0 - 1).

    When you define mark types in FireHOL you don't need to care about the bits used. You just say the number of values a mark type should have and FireHOL will make all the calculations. If you overflow the 32 bits, FireHOL will give you an error. The only thing to remember is that the possible values of each mark type should be a power of 2 (2, 4, 8, 16, 32, 64, 128, 256, 512, 1024, etc.)

  2. Each mark can be configured as temporary or permanent

    permanent saves this mark type to the connection tracker (CONNMARK), so that all packets related to the marked one, will automatically get the mark.

    temporary does not save this mark type to the connection tracker.

  3. Each mark can be configured to be stateless or stateful

    This option controls which packets get marked by the mark helper.

    stateless will simply mark the all packets the optional rule parameters of the mark helper match.

    stateful will only mark the NEW packets of each connection that is matched by the mark helper optional rule parameters.

stateful/stateless and permanent/temporary interact with each other. We will discuss this in detail at Defining Mark Options.

There are also a few shortcuts:

  • default means permanent stateful
  • classic means temporary stateless

How to Configure Marks

You can add markdef lines at the top of firehol.conf.

Alternatively you can edit /etc/firehol/firehol-defaults.conf.

This is an abstract of the default configuration:

# clear the marks
markdef clear

# define the default marks
markdef connmark 64
markdef usermark 128

The mark types connmark and usermark should always be defined. Of course you can adapt their max values to your needs.

You can also add more mark types, for example appending the following will add a few more marks:

markdef qos 16
markdef ipsec 2 classic

How to match packets with specific marks



Link Balancer

Defining Mark Options

There are 4 possible combinations for the options:

permanent stateful marks, or 'default'

This is the default.

stateful makes the FireHOL mark helper mark only the NEW packets of each connection and permanent makes the kernel restore this mark for every packet that is part of the same connection or related to the same connection.

what to mark at the helper:

You should use the 'mark' helper to just mark the first packet of a request. All replies and (related connections) will automatically get the same mark.

This is the most efficient and simple mark, this is why it is the default.

markdef qos 16 default


# set the qos mark 1 on all packets sent from the local machine to an smtp server
# their replies will be marked automatically
custommark qos 1 OUTPUT dport 25

temporary stateless marks, or 'classic'

This is the 'classic' mark we see in iptables MARK examples all over the net.

temporary means never restore indirectly this mark for any packet and stateless means that only what the mark helper matches will get the mark.

what to mark at the helper:

You should use the 'mark' helper to mark the traffic you want to have marked. Nothing else will be marked.

So if you just want to port to FireHOL something you found on the net, you will most probably need this kind of mark.


markdef qos 2 classic


# set the qos mark 1 on all packets sent from the local machine to an smtp server
# its replies will not be marked
custommark qos 1 OUTPUT dport 25

temporary stateful marks

Using these mark options, only the NEW packets of each connection will be marked, that is the first request packet. No other packets will have the mark set.

markdef test 2 temporary stateful

permanent stateless marks