Tom Eastep wrote:
Another approach would be to create an ipset with timeout, then add
source IPs to the ipset when the initial control connection is
established. You can then use the ipset to allow/deny the passive mode
connections.
So, if I understand you correctly, I should first remove my FtpPassive
action, then add this inside the initdone script:
ipset -exist create FtpPassive hash:ip timeout 600
Then inside my rules file, I replace the existing FtpPassive line with
this one:
ACCEPT net:+FtpPassive $FW tcp 50000-55000
With this, any IP in the FtpPassive ipset will be allowed to connect to
the 50000-55000 port range.
However, I don't see where I should place the call to "ipset add" so
that an IP is added to the set when the control connection is established.
I looked at the extension scripts page, but I could not see anything here.
What have I missed?
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
