On 5/23/19 4:06 AM, obones wrote:
Tom Eastep wrote:
Another approach would be to create an ipset with timeout, then add
source IPs to the ipset when the initial control connection is
established. You can then use the ipset to allow/deny the passive mode
connections.
So, if I understand you correctly, I should first remove my FtpPassive
action, then add this inside the initdone script:
ipset -exist create FtpPassive hash:ip timeout 600
Then inside my rules file, I replace the existing FtpPassive line with
this one:
ACCEPT net:+FtpPassive $FW tcp 50000-55000
With this, any IP in the FtpPassive ipset will be allowed to connect to
the 50000-55000 port range.
However, I don't see where I should place the call to "ipset add" so
that an IP is added to the set when the control connection is established.
I looked at the extension scripts page, but I could not see anything here.
What have I missed?
I would:
a) Make a copy of macro.FTP in your /etc/shorewall directory.
b) Modify that copy as follows:
# Shorewall -- /usr/share/shorewall/macro.FTP
#
# This macro handles FTP traffic.
#
###############################################################################
#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER
ADD(FtpPassive,src) tcp 21
?if ( __CT_TARGET && ! $AUTOHELPERS && __FTP_HELPER )
PARAM - - tcp 21 { helper=ftp }
?else
PARAM - - tcp 21
?endif
-Tom
--
Tom Eastep \ Q: What do you get when you cross a mobster with
Shoreline, \ an international standard?
Washington, USA \ A: Someone who makes you an offer you can't
http://shorewall.org \ understand
\_______________________________________________
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
