root / manifests / rules / ftp.pp @ 2ad7193b
Historique | Voir | Annoter | Télécharger (1,05 ko)
| 1 |
# @summary manage in ftp (with conntrack helper) |
|---|---|
| 2 |
# |
| 3 |
# @param enable_passive |
| 4 |
# Enable FTP passive mode support |
| 5 |
# |
| 6 |
# @param passive_ports |
| 7 |
# Set the FTP passive mode port range |
| 8 |
# |
| 9 |
class nftables::rules::ftp ( |
| 10 |
Boolean $enable_passive = true, |
| 11 |
Nftables::Port::Range $passive_ports = '10090-10100', |
| 12 |
) {
|
| 13 |
nftables::helper { 'ftp-standard':
|
| 14 |
content => ' type "ftp" protocol tcp;', |
| 15 |
} |
| 16 |
nftables::chain { 'PRE': }
|
| 17 |
nftables::rule {
|
| 18 |
'PRE-type': |
| 19 |
order => '01', |
| 20 |
content => 'type filter hook prerouting priority filter'; |
| 21 |
'PRE-policy': |
| 22 |
order => '02', |
| 23 |
content => 'policy accept'; |
| 24 |
'PRE-helper': |
| 25 |
order => '03', |
| 26 |
content => 'tcp dport 21 ct helper set "ftp-standard"'; |
| 27 |
} |
| 28 |
nftables::rule { 'default_in-ftp':
|
| 29 |
content => 'tcp dport 21 accept', |
| 30 |
} |
| 31 |
if $enable_passive {
|
| 32 |
nftables::rule { 'INPUT-ftp':
|
| 33 |
order => '10', |
| 34 |
content => "ct helper \"ftp\" tcp dport ${passive_ports} accept",
|
| 35 |
} |
| 36 |
} else {
|
| 37 |
nftables::rule { 'INPUT-ftp':
|
| 38 |
order => '10', |
| 39 |
content => 'ct helper "ftp" accept', |
| 40 |
} |
| 41 |
} |
| 42 |
} |