Puppet Class: nftables::rules::ftp

Defined in:
manifests/rules/ftp.pp

Summary

manage in ftp (with conntrack helper)

Overview

Parameters:

  • enable_passive (Boolean) (defaults to: true)

    Enable FTP passive mode support

  • passive_ports (Nftables::Port::Range) (defaults to: '10090-10100')

    Set the FTP passive mode port range



9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
 
# File 'manifests/rules/ftp.pp', line 9

class nftables::rules::ftp (
  Boolean $enable_passive = true,
  Nftables::Port::Range $passive_ports = '10090-10100',
) {
  nftables::helper { 'ftp-standard':
    content => ' type "ftp" protocol tcp;',
  }
  nftables::chain { 'PRE': }
  nftables::rule {
    'PRE-type':
      order   => '01',
      content => 'type filter hook prerouting priority filter';
    'PRE-policy':
      order   => '02',
      content => 'policy accept';
    'PRE-helper':
      order   => '03',
      content => 'tcp dport 21 ct helper set "ftp-standard"';
  }
  nftables::rule { 'default_in-ftp':
    content => 'tcp dport 21 accept',
  }
  if $enable_passive {
    nftables::rule { 'INPUT-ftp':
      order   => '10',
      content => "ct helper \"ftp\" tcp dport ${passive_ports} accept",
    }
  } else {
    nftables::rule { 'INPUT-ftp':
      order   => '10',
      content => 'ct helper "ftp" accept',
    }
  }
}