ALT Linux repos
Group :: System/Configuration/Networking
RPM: firehol
Main Changelog Spec Patches Sources Download Gear Bugs and FR Repocop
#FHVER: 1:213
# --- FTP over SSL/TLS--------------------------------------------------------
# it uses less strict rules about coming packets cause ip_conntrack_ftp
# can't correctly inspect coming packets
# tnx to Terry Linhardt <linhardt swbell net> about good explaination
ALL_SHOULD_ALSO_RUN="${ALL_SHOULD_ALSO_RUN} ftp_ssl"
rules_ftp_ssl() {
local mychain="${1}"; shift
local type="${1}"; shift
local in=in
local out=out
if [ "${type}" = "client" ]
then
in=out
out=in
fi
local client_ports="${DEFAULT_CLIENT_PORTS}"
if [ "${type}" = "client" -a "${work_cmd}" = "interface" ]
then
client_ports="${LOCAL_CLIENT_PORTS}"
fi
# For an explanation of how FTP connections work, see
# http://slacksite.com/other/ftp.html
# ----------------------------------------------------------------------
# allow new and established incoming, and established outgoing
# accept port ftp new connections
set_work_function "Setting up rules for initial FTP over SSL/TLS connection ${type}"
rule ${in} action "$@" chain "${in}_${mychain}" proto tcp sport "${client_ports}" dport ftp state NEW,ESTABLISHED || return 1
rule ${out} reverse action "$@" chain "${out}_${mychain}" proto tcp sport "${client_ports}" dport ftp state ESTABLISHED || return 1
# Active FTP
# send port ftp-data related connections
set_work_function "Setting up rules for Active FTP over SSL/TLS ${type}"
rule ${out} reverse action "$@" chain "${out}_${mychain}" proto tcp sport "${client_ports}" dport ftp-data state ESTABLISHED,RELATED || return 1
rule ${in} action "$@" chain "${in}_${mychain}" proto tcp sport "${client_ports}" dport ftp-data state ESTABLISHED || return 1
# ----------------------------------------------------------------------
# A hack for Passive FTP only
local s_client_ports="${DEFAULT_CLIENT_PORTS}"
local c_client_ports="${DEFAULT_CLIENT_PORTS}"
if [ "${type}" = "client" -a "${work_cmd}" = "interface" ]
then
c_client_ports="${LOCAL_CLIENT_PORTS}"
elif [ "${type}" = "server" -a "${work_cmd}" = "interface" ]
then
s_client_ports="${LOCAL_CLIENT_PORTS}"
fi
# Passive FTP
# accept high-ports related connections
# also accept NEW packets for ftp-data
set_work_function "Setting up rules for Passive FTP over SSL/TLS ${type}"
rule ${in} action "$@" chain "${in}_${mychain}" proto tcp sport "${c_client_ports}" dport "${s_client_ports}" state ESTABLISHED,RELATED || return 1
rule ${out} reverse action "$@" chain "${out}_${mychain}" proto tcp sport "${c_client_ports}" dport "${s_client_ports}" state NEW,ESTABLISHED || return 1
return 0
}