#-----------------------------------------------------------------------
# Copyright (C) 2000-2001, Jean-Sebastien Morisset <jsmoriss@mvlan.net>
#-----------------------------------------------------------------------
# $Id: 850-ftppasv-clients,v 1.7 2001/10/17 23:08:56 jsmoriss Exp $
#-----------------------------------------------------------------------
# MODULE CONFIGURATION
#-----------------------------------------------------------------------
#
#m# 123
#a# accept ports
#i# cluster
#n# ftppasv
#t# clients
#v# ports 1024:65535
#
#   |--------------------------------------------------------------------|
#d# Support passive mode FTP. Leave the 'accept' option empty unless you 
#d# really need it. Passive mode allows connecting to the port range you
#d# define, from any other high port. YOU SHOULD NOT ALLOW PASSIVE FTP 
#d# WITH THE DEFAULT PORT RANGE (1024:65535). If your FTP server (proftpd
#d# being my personal favorite) allows the definition of ports used in 
#d# passive mode, enter your selection in the 'ports' option.
#   |--------------------------------------------------------------------|
#
#-----------------------------------------------------------------------
# START OF MODULE CODE
#-----------------------------------------------------------------------

#--------------------------------------------------------------------
# FTP Passive (All High Ports)
#--------------------------------------------------------------------
# Passive mode FTP gives the client access to ALL of your high ports.
# The rules are placed last to give precedence to any DENYs on high
# ports.
#--------------------------------------------------------------------

[ ! "$CLUSTER_NAME" ] \
	&& { inchain="$INCHAIN" ; outchain="$OUTCHAIN"; } \
	|| { inchain="$OUTCHAIN"; outchain="$INCHAIN" ; }

for host in `Option_Value accept $INTOPT ftppasv clients`
do
	echo "Accept $INTOPT $IPADDR FTP <- $host Pasv $LOG_MSG"

	ipchains -A $inchain  -j ACCEPT -p tcp      -s $host $UNPRIVPORTS -d $IPADDR ftp $LOG
	ipchains -A $outchain -j ACCEPT -p tcp ! -y -s $IPADDR ftp -d $host $UNPRIVPORTS $LOG

	for port in `Option_Value ports $INTOPT ftppasv clients`
	do
		ipchains -A $inchain  -j ACCEPT -p tcp      -s $host $UNPRIVPORTS -d $IPADDR $port $LOG
		ipchains -A $outchain -j ACCEPT -p tcp ! -y -s $IPADDR $port -d $host $UNPRIVPORTS $LOG
	done
done
unset host inchain outchain

