#-----------------------------------------------------------------------
# Copyright (C) 2000-2001, Jean-Sebastien Morisset <jsmoriss@mvlan.net>
#-----------------------------------------------------------------------
# $Id: 310-ftpactv-clients,v 1.4 2001/10/17 23:08:03 jsmoriss Exp $
#-----------------------------------------------------------------------
# MODULE CONFIGURATION
#-----------------------------------------------------------------------
#
#m# 123
#a# accept
#i# cluster
#n# ftpactv
#t# clients
#
#   |--------------------------------------------------------------------|
#d# Accept active FTP connections from these clients.
#d#
#d# FTP servers can generally be configured (internally or by using tcp 
#d# wrappers) to accept connections from specific hosts. You should take
#d# advantage of this added security when possible.
#d#
#d# Using "any/0" here is perfectly ok, so long as you control host access
#d# using your FTP server (deny all and allow only specific hosts to 
#d# connect).
#   |--------------------------------------------------------------------|
#
#-----------------------------------------------------------------------
# START OF MODULE CODE
#-----------------------------------------------------------------------

[ ! "$CLUSTER_NAME" ] \
	&& { inchain="$INCHAIN" ; outchain="$OUTCHAIN"; } \
	|| { inchain="$OUTCHAIN"; outchain="$INCHAIN" ; }

for host in `Option_Value accept $INTOPT ftpactv clients`
do
	echo "Accept $INTOPT $IPADDR FTP <- $host FTP Actv $LOG_MSG"

	ipchains -A $inchain  -j ACCEPT -p tcp      -s $host $UNPRIVPORTS -d $IPADDR ftp        $LOG
	ipchains -A $outchain -j ACCEPT -p tcp ! -y -s $IPADDR ftp        -d $host $UNPRIVPORTS $LOG

	ipchains -A $inchain  -j ACCEPT -p tcp ! -y -s $host $UNPRIVPORTS -d $IPADDR ftp-data   $LOG
	ipchains -A $outchain -j ACCEPT -p tcp      -s $IPADDR ftp-data   -d $host $UNPRIVPORTS $LOG
done
unset host inchain outchain

