#FHVER: 1:213 # --- FTP over SSL/TLS-------------------------------------------------------- # it uses less strict rules about coming packets cause ip_conntrack_ftp # can't correctly inspect coming packets # tnx to Terry Linhardt about good explaination ALL_SHOULD_ALSO_RUN="${ALL_SHOULD_ALSO_RUN} ftp_ssl" rules_ftp_ssl() { local mychain="${1}"; shift local type="${1}"; shift local in=in local out=out if [ "${type}" = "client" ] then in=out out=in fi local client_ports="${DEFAULT_CLIENT_PORTS}" if [ "${type}" = "client" -a "${work_cmd}" = "interface" ] then client_ports="${LOCAL_CLIENT_PORTS}" fi # For an explanation of how FTP connections work, see # http://slacksite.com/other/ftp.html # ---------------------------------------------------------------------- # allow new and established incoming, and established outgoing # accept port ftp new connections set_work_function "Setting up rules for initial FTP over SSL/TLS connection ${type}" rule ${in} action "$@" chain "${in}_${mychain}" proto tcp sport "${client_ports}" dport ftp state NEW,ESTABLISHED || return 1 rule ${out} reverse action "$@" chain "${out}_${mychain}" proto tcp sport "${client_ports}" dport ftp state ESTABLISHED || return 1 # Active FTP # send port ftp-data related connections set_work_function "Setting up rules for Active FTP over SSL/TLS ${type}" rule ${out} reverse action "$@" chain "${out}_${mychain}" proto tcp sport "${client_ports}" dport ftp-data state ESTABLISHED,RELATED || return 1 rule ${in} action "$@" chain "${in}_${mychain}" proto tcp sport "${client_ports}" dport ftp-data state ESTABLISHED || return 1 # ---------------------------------------------------------------------- # A hack for Passive FTP only local s_client_ports="${DEFAULT_CLIENT_PORTS}" local c_client_ports="${DEFAULT_CLIENT_PORTS}" if [ "${type}" = "client" -a "${work_cmd}" = "interface" ] then c_client_ports="${LOCAL_CLIENT_PORTS}" elif [ "${type}" = "server" -a "${work_cmd}" = "interface" ] then s_client_ports="${LOCAL_CLIENT_PORTS}" fi # Passive FTP # accept high-ports related connections # also accept NEW packets for ftp-data set_work_function "Setting up rules for Passive FTP over SSL/TLS ${type}" rule ${in} action "$@" chain "${in}_${mychain}" proto tcp sport "${c_client_ports}" dport "${s_client_ports}" state ESTABLISHED,RELATED || return 1 rule ${out} reverse action "$@" chain "${out}_${mychain}" proto tcp sport "${c_client_ports}" dport "${s_client_ports}" state NEW,ESTABLISHED || return 1 return 0 }