
#-----------------------------------------------------------------------
# CHANGES
#-----------------------------------------------------------------------
#
# 2001-02-07  Jean-Sebastien Morisset <jsmoriss@mvlan.net>
#             Added check for CLUSTER_NAME and assoc. rules.
# 2000-12-06  Jean-Sebastien Morisset <jsmoriss@mvlan.net>
#             Initial module written for v5.1.
#
#-----------------------------------------------------------------------
# MODULE CONFIGURATION
#-----------------------------------------------------------------------
#
#m# 3
#a# accept
#i# cluster novirtual
#n# ftppasv
#t# servers
#
#   |--------------------------------------------------------------------|
#d# Allow passive FTP data transfers initiated by local machines. Unless
#d# absolutely necessary, do not use "any/0". Some security issues have
#d# been raised when allowing outgoing connections to port 21 (used by FTP
#d# to login). Passive FTP also allows TCP connections from any local
#d# high-port to any remote high-port.
#   |--------------------------------------------------------------------|
#
#-----------------------------------------------------------------------
# START OF MODULE CODE
#-----------------------------------------------------------------------

for host in `Option_Value accept $INTOPT ftppasv servers`
do
	echo "Accept $INTOPT $IPADDR FTP Pasv -> $host FTP $LOG_MSG"
	if [ "$CLUSTER_NAME" ]
	then
		ipchains -A $OUTCHAIN -j ACCEPT -p tcp ! -y -s $host $UNPRIVPORTS -d $IPADDR $UNPRIVPORTS $LOG
		ipchains -A $INCHAIN  -j ACCEPT -p tcp      -s $IPADDR $UNPRIVPORTS -d $host $UNPRIVPORTS $LOG
	else
		ipchains -A $INCHAIN  -j ACCEPT -p tcp ! -y -s $host $UNPRIVPORTS -d $IPADDR $UNPRIVPORTS $LOG
		ipchains -A $OUTCHAIN -j ACCEPT -p tcp      -s $IPADDR $UNPRIVPORTS -d $host $UNPRIVPORTS $LOG
	fi
done
unset host

