Sisyphus repository
Last update: 1 october 2023 | SRPMs: 18631 | Visits: 37039673
en ru br
ALT Linux repos
S:3.1.7-alt1
5.0: 1.268-alt1.cvs20080809
4.1: 1.226-alt3.cvs20070210
4.0: 1.226-alt1.cvs20070210

Group :: System/Configuration/Networking
RPM: firehol

 Main   Changelog   Spec   Patches   Sources   Download   Gear   Bugs and FR  Repocop 

#FHVER: 1:213

# --- FTP over SSL/TLS--------------------------------------------------------
# it uses less strict rules about coming packets cause ip_conntrack_ftp
# can't correctly inspect coming packets
# tnx to Terry Linhardt <linhardt swbell net> about good explaination

ALL_SHOULD_ALSO_RUN="${ALL_SHOULD_ALSO_RUN} ftp_ssl"

rules_ftp_ssl() {
local mychain="${1}"; shift
local type="${1}"; shift

local in=in
local out=out
if [ "${type}" = "client" ]
then
in=out
out=in
fi

local client_ports="${DEFAULT_CLIENT_PORTS}"
if [ "${type}" = "client" -a "${work_cmd}" = "interface" ]
then
client_ports="${LOCAL_CLIENT_PORTS}"
fi

# For an explanation of how FTP connections work, see
# http://slacksite.com/other/ftp.html

# ----------------------------------------------------------------------

# allow new and established incoming, and established outgoing
# accept port ftp new connections
set_work_function "Setting up rules for initial FTP over SSL/TLS connection ${type}"
rule ${in} action "$@" chain "${in}_${mychain}" proto tcp sport "${client_ports}" dport ftp state NEW,ESTABLISHED || return 1
rule ${out} reverse action "$@" chain "${out}_${mychain}" proto tcp sport "${client_ports}" dport ftp state ESTABLISHED || return 1

# Active FTP
# send port ftp-data related connections
set_work_function "Setting up rules for Active FTP over SSL/TLS ${type}"
rule ${out} reverse action "$@" chain "${out}_${mychain}" proto tcp sport "${client_ports}" dport ftp-data state ESTABLISHED,RELATED || return 1
rule ${in} action "$@" chain "${in}_${mychain}" proto tcp sport "${client_ports}" dport ftp-data state ESTABLISHED || return 1

# ----------------------------------------------------------------------

# A hack for Passive FTP only
local s_client_ports="${DEFAULT_CLIENT_PORTS}"
local c_client_ports="${DEFAULT_CLIENT_PORTS}"

if [ "${type}" = "client" -a "${work_cmd}" = "interface" ]
then
c_client_ports="${LOCAL_CLIENT_PORTS}"
elif [ "${type}" = "server" -a "${work_cmd}" = "interface" ]
then
s_client_ports="${LOCAL_CLIENT_PORTS}"
fi

# Passive FTP
# accept high-ports related connections
# also accept NEW packets for ftp-data
set_work_function "Setting up rules for Passive FTP over SSL/TLS ${type}"
rule ${in} action "$@" chain "${in}_${mychain}" proto tcp sport "${c_client_ports}" dport "${s_client_ports}" state ESTABLISHED,RELATED || return 1
rule ${out} reverse action "$@" chain "${out}_${mychain}" proto tcp sport "${c_client_ports}" dport "${s_client_ports}" state NEW,ESTABLISHED || return 1

return 0
}
 
design & coding: Vladimir Lettiev aka crux © 2004-2005, Andrew Avramenko aka liks © 2007-2008
current maintainer: Michael Shigorin