Tom Eastep wrote:
On 5/23/19 4:06 AM, obones wrote:
However, I don't see where I should place the call to "ipset add" so
that an IP is added to the set when the control connection is
established.
I looked at the extension scripts page, but I could not see anything
here.
What have I missed?
I would:
a) Make a copy of macro.FTP in your /etc/shorewall directory.
b) Modify that copy as follows:
Thanks this put me on the right track, but the syntax is with colon as a
separator, not comma. So, in the end, I ended up with adding the
following two lines in the /etc/shorewall/macro.FTP file:
DEL(FtpPassive:src) - - tcp 21
ADD(FtpPassive:src:600) - - tcp 21
This way, I'm sure the timeout is reset every time a new connection is
made by the same IP.
And I also had to make the initdone code a bit different as it has to be
written in PERL:
system "ipset -exist create FtpPassive hash:ip timeout 600";
my $return_value = $? >> 8;
return(!$return_value);
With this and the rule already described, it works just fine and closes
automatically the ports after a bit of inactivity.
Thanks a lot for your great help.
Regards
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
