##    ftp.pm: Fwctl service module to handle the ftp protocol.##    This file is part of Fwctl.##    Author: Francis J. Lacoste <francis@iNsu.COM>##    Copyright (c) 1999,2000 iNsu Innovations Inc.##    This program is free software; you can redistribute it and/or modify#    it under the terms of the GNU General Public License as published by#    the Free Software Foundation; either version 2 of the License, or#    (at your option) any later version.#package Fwctl::Services::ftp;use strict;use Fwctl::RuleSet qw(:tcp_rulesets :ip_rulesets :masq :ports);use IPChains;use Carp;sub new {  my $proto = shift;  my $class = ref $proto || $proto;  bless { pasv_ports	=> UNPRIVILEGED_PORTS,	  pasv		=> 1,	  port		=> 1,	  data_port	=> "ftp-data",	  ctrl_port	=> "ftp",	}, $class;}sub prototypes {  my ($self,$target,$options) = @_;  # Build prototypes  my $pasv_ports = $options->{pasv_ports} || $self->{pasv_ports};  my $ctrl_port  = $options->{ctrl_port}  || $self->{ctrl_port};  my $data_port	 = $options->{data_port}  || $self->{data_port};  (   IPChains->new(		 Rule	    => $target,		 Prot	    => 'tcp',		 SourcePort => UNPRIVILEGED_PORTS,		 DestPort   => $ctrl_port,		 %{$options->{ipchains}},		),   IPChains->new(		 Rule	    => $target,		 Prot	    => 'tcp',		 SourcePort => UNPRIVILEGED_PORTS,		 DestPort   => $pasv_ports,		 %{$options->{ipchains}},		),   IPChains->new(		 Rule	    => $target,		 Prot	    => 'tcp',		 SourcePort => $data_port,		 DestPort   => UNPRIVILEGED_PORTS,		 %{$options->{ipchains}},		),  );}sub block_rules {  my $self = shift;  my ( $target, $src, $src_if, $dst, $dst_if, $options ) = @_;  my $do_pasv = $options->{pasv};  $do_pasv = $self->{pasv} unless defined $do_pasv;  my $do_port = $options->{port};  $do_port = $self->{pasv} unless defined $do_port;  my ($ftp,$pasv,$port) = $self->prototypes( $target, $options );  block_tcp_ruleset( $ftp, $src, $src_if, $dst, $dst_if );  if ( $do_pasv ) {    block_tcp_ruleset( $pasv, $src, $src_if, $dst, $dst_if );  }  if ($do_port ) {    block_tcp_ruleset( $port, $dst, $dst_if, $src, $src_if  );  }}sub accept_rules {  my $self = shift;  my ( $target, $src, $src_if, $dst, $dst_if, $options ) = @_;  my $do_pasv = $options->{pasv};  $do_pasv = $self->{pasv} unless defined $do_pasv;  my $do_port = $options->{port};  $do_port = $self->{pasv} unless defined $do_port;  my ($ftp,$pasv,$port) = $self->prototypes( $target, $options );  my $masq = defined $options->{portfw} ? PORTFW :    $options->{masq} ? MASQ : NOMASQ;  accept_tcp_ruleset( $ftp, $src, $src_if, $dst, $dst_if,		      $masq, $options->{portfw} );  if ( $do_pasv ) {      accept_tcp_ruleset( $pasv, $src, $src_if, $dst, $dst_if,			  $masq, $options->{portfw} );  }  if ( $do_port ) {      if ( $masq & PORTFW ) {	  # We must portfw the ACK and not SYN. Thats why we must roll	  # our own	  accept_ip_ruleset( $port, $dst, $dst_if, $src, $src_if,			     UNPORTFW, $options->{portfw} );	  $port->attribute( 'SYN',  '!' );	  my $src_port = $port->attribute( 'SourcePort' );	  my $dst_port = $port->attribute( 'DestPort' );	  $port->attribute( 'DestPort',	    $src_port );	  $port->attribute( 'SourcePort',   $dst_port );	  accept_ip_ruleset( $port, $src, $src_if, $dst, $dst_if,			     PORTFW, $options->{portfw} );      } elsif ( $masq & MASQ ) {	  # The data ports destination were rewritten.	  accept_ip_ruleset( $port, $dst, $dst_if, $src, $src_if, UNMASQ );	  $port->attribute( 'SYN',  '!' );	  my $src_port = $port->attribute( 'SourcePort' );	  my $dst_port = $port->attribute( 'DestPort' );	  $port->attribute( 'DestPort',	    $src_port );	  $port->attribute( 'SourcePort',   $dst_port );	  accept_ip_ruleset( $port, $src, $src_if, $dst, $dst_if, MASQ );	  # Load the necessary kernel module.	  system ( "/sbin/modprobe", "ip_masq_ftp" ) == 0	    or carp __PACKAGE__, ": couldn't load ip_masq_ftp: $?\n";      } else {	  accept_tcp_ruleset( $port, $dst, $dst_if, $src, $src_if );      }  }}sub account_rules {  my $self = shift;  my ( $target, $src, $src_if, $dst, $dst_if, $options ) = @_;  my $do_pasv = $options->{pasv};  $do_pasv = $self->{pasv} unless defined $do_pasv;  my $do_port = $options->{port};  $do_port = $self->{pasv} unless defined $do_port;  my ($ftp,$pasv,$port) = $self->prototypes( $target, $options );  my $masq = defined $options->{portfw} ? PORTFW :    $options->{masq} ? MASQ : NOMASQ;  acct_tcp_ruleset( $ftp, $src, $src_if, $dst, $dst_if, $masq );  if ( $do_pasv ) {      acct_tcp_ruleset( $pasv,	$src, $src_if, $dst, $dst_if, $masq );  }  if ( $do_port ) {      if ( $masq & PORTFW ) {	  # We must portfw the ACK and not SYN. Thats why we must roll	  # our own	  acct_ip_ruleset( $port, $dst, $dst_if, $src, $src_if,			     UNPORTFW, $options->{portfw} );	  $port->{SYN} = '!';	  my $src_port = $port->attribute( 'SourcePort' );	  my $dst_port = $port->attribute( 'DestPort' );	  $port->attribute( 'DestPort',	    $src_port );	  $port->attribute( 'SourcePort',   $dst_port );	  acct_ip_ruleset( $port, $src, $src_if, $dst, $dst_if,			     PORTFW, $options->{portfw} );      } elsif ( $masq & MASQ ) {	  # The data ports destination were rewritten. 	  acct_ip_ruleset( $port, $dst, $dst_if, $src, $src_if, UNMASQ );	  $port->attribute( 'SYN',  '!' );	  my $src_port = $port->attribute( 'SourcePort' );	  my $dst_port = $port->attribute( 'DestPort' );	  $port->attribute( 'DestPort',	    $src_port );	  $port->attribute( 'SourcePort',   $dst_port );	  acct_ip_ruleset( $port, $src, $src_if, $dst, $dst_if, MASQ );      } else {	  acct_tcp_ruleset( $port, $dst, $dst_if, $src, $src_if,			    $masq );      }  }}sub valid_options {  my  $self = shift;  ( "ctrl_port=s", "data_port=s", "pasv_ports=s", "pasv!", "port!" );}1;=pod=head1 NAMEFwctl::Services::ftp - Fwctl module to handle the FTP service.=head1 SYNOPSIS    accept   ftp -src INTERNAL_NET -dst INTERNET -noport -masq    accept   ftp -src PROXY_SERVER -dst INTERNET -noport --account    accept   ftp -src INTERNET -d FTP_SERVER -noport    accept   ftp -src INTERNAL_NET -dst INT_IP --ctrl_port hylafax=head1 DESCRIPTIONThe ftp module is used to handle the FTP protocol. By default ithandles both PORT and PASV based protocol. If maquerading is asked for,it also loads the proper kernel module.=head1 OPTIONSIn additions to the standard options it takes the following ones :=over=item --port or --noportSets whether rules for the PORT part of the FTP protocol will be added.=item --pasv or --nopasvSets whether rules for the PASV part of the FTP protocol will be added.=item --pasv_portsSets the port accepted for PASV connections. Defaults to UNPRIVILEGED_PORTS.=item --ctrl_portSets the port used for the control connection. This is the port on whichthe ftp server listens. Defaults to ftp.=item --data_portSets the port for the data connection. This is the port from which PORTconnections of the server originates.=back=head1 AUTHORFrancis J. Lacoste <francis.lacoste@iNsu.COM>=head1 COPYRIGHTCopyright (c) 1999,2000 iNsu Innovations Inc.All rights reserved.This program is free software; you can redistribute it and/or modifyit under the terms of the GNU General Public License as published bythe Free Software Foundation; either version 2 of the License, or(at your option) any later version.=head1 SEE ALSOfwctl(8) Fwctl(3) Fwctl::RuleSet(3)=cut