obones wrote:
Tom Eastep wrote:
On 5/23/19 4:06 AM, obones wrote:
However, I don't see where I should place the call to "ipset add" so
that an IP is added to the set when the control connection is
established.
I looked at the extension scripts page, but I could not see anything
here.
What have I missed?
I would:
a) Make a copy of macro.FTP in your /etc/shorewall directory.
b) Modify that copy as follows:
Thanks this put me on the right track, but the syntax is with colon as
a separator, not comma. So, in the end, I ended up with adding the
following two lines in the /etc/shorewall/macro.FTP file:
DEL(FtpPassive:src) - - tcp 21
ADD(FtpPassive:src:600) - - tcp 21
This way, I'm sure the timeout is reset every time a new connection is
made by the same IP.
And I also had to make the initdone code a bit different as it has to
be written in PERL:
system "ipset -exist create FtpPassive hash:ip timeout 600";
my $return_value = $? >> 8;
return(!$return_value);
With this and the rule already described, it works just fine and
closes automatically the ports after a bit of inactivity.
One more thing to change:
The creation of the ipset should also be done in the init script because
the startup process tries to call iptables-restore with a reference to
the existing IPSets.
As initdone is only called after this, shorewall fails to start and
stays in the "stopped" state.
I thus added the same call to ipset create inside my init script and it
now works fine.
I stumbled onto this after a power failure that led to the restart of
the computer where shorewall is running.
Regards
Olivier
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
