Hello,
I'm using Shorewall on a machine where I'm running a FTP-TLS server.
I know FTP is an aging protocol, and I know that adding TLS on top of it
makes it impossible to use the connection tracking modules.
I am in the process of evaluating alternatives, but in the meantime I
have to make it work and I'm almost there.
Using events, I was able to open the passive port range for a given IP
when it connects to port 21.
Basically, I have added an action named FtpPassive to the
/etc/shorewall/actions file and I have created the
/etc/shorewall/action.FtpPassive file with this content:
#
# Shorewall Ftp passive port opening action
#
?format 2
######################################################################################
#ACTION SOURCE DEST PROTO DPORT
IfEvent(FtpPassive,ACCEPT,600) - - tcp 50000:55000
SetEvent(FtpPassive,COUNT) - - tcp 21
then inside the rules file, I have this:
FtpPassive net $FW tcp 21,50000-55000
FTP(ACCEPT) net $FW
with this default policy:
netallDROPinfo
This works quite well with the exception that events are never reset,
and so they are piling up in the shorewall show event FtpPassive output,
like this:
Shorewall 5.2.3.3 events at server - mer. mai 22 11:44:49 CEST 2019
FtpPassive:
src=46.20.166.52 : 574.817, 573.259, 569.967, 568.419, 507.368,
503.641, 434.131, 212.628, 144.233, 78.521
To be clean, I would need to call the ResetEvent action at the
appropriate time, which to me is when the connection to port 21 is
closed by the client.
However, I could not find a way to call an action when a connection is
closed. Is this possible?
If yes, which file should I edit?
If not, is there another way to cleanup the events?
Regards
Olivier
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
