Re: [Shorewall-users] Resetting an event when a connection is closed

Wed, 22 May 2019 10:07:54 -0700 


On 5/22/19 2:58 AM, obones wrote:

Hello,

I'm using Shorewall on a machine where I'm running a FTP-TLS server.

I know FTP is an aging protocol, and I know that adding TLS on top of it 
makes it impossible to use the connection tracking modules.
I am in the process of evaluating alternatives, but in the meantime I 
have to make it work and I'm almost there.



Using events, I was able to open the passive port range for a given IP 
when it connects to port 21.
Basically, I have added an action named FtpPassive to the 
/etc/shorewall/actions file and I have created the 
/etc/shorewall/action.FtpPassive file with this content:


#
#  Shorewall Ftp passive port opening action
#
?format 2

###################################################################################### 


#ACTION                         SOURCE DEST    PROTO   DPORT
IfEvent(FtpPassive,ACCEPT,600)  - -       tcp     50000:55000
SetEvent(FtpPassive,COUNT)      - -       tcp     21

then inside the rules file, I have this:

FtpPassive      net             $FW tcp     21,50000-55000
FTP(ACCEPT)     net             $FW

with this default policy:

netallDROPinfo


This works quite well with the exception that events are never reset, 
and so they are piling up in the shorewall show event FtpPassive output, 
like this:


     Shorewall 5.2.3.3 events at server - mer. mai 22 11:44:49 CEST 2019

     FtpPassive:

        src=46.20.166.52 :  574.817, 573.259, 569.967, 568.419, 507.368, 
503.641, 434.131, 212.628, 144.233, 78.521



To be clean, I would need to call the ResetEvent action at the 
appropriate time, which to me is when the connection to port 21 is 
closed by the client.
However, I could not find a way to call an action when a connection is 
closed. Is this possible?


No, unfortunately.


If yes, which file should I edit?
If not, is there another way to cleanup the events?



Another approach would be to create an ipset with timeout, then add 
source IPs to the ipset when the initial control connection is 
established. You can then use the ipset to allow/deny the passive mode 
connections.


-Tom
--
Tom Eastep        \   Q: What do you get when you cross a mobster with
Shoreline,         \     an international standard?
Washington, USA     \ A: Someone who makes you an offer you can't
http://shorewall.org \   understand
                      \_______________________________________________


_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users






















					Reply via email to