X-Git-Url: https://git.adam-barratt.org.uk/?a=blobdiff_plain;f=modules%2Fferm%2Fmanifests%2Fftp_conntrack.pp;h=868110b378b6c5f990f8bb0ef42b1dc355b50157;hb=c900f03686f913f87c1163a03a24f90193175318;hp=ea502e2d9cee568675f1435b3388d10730d01339;hpb=963cd75a0593d779ff19090aab82ec22fbb6f971;p=mirror%2Fdsa-puppet.git

diff --git a/modules/ferm/manifests/ftp_conntrack.pp b/modules/ferm/manifests/ftp_conntrack.pp
index ea502e2d9..868110b37 100644
--- a/modules/ferm/manifests/ftp_conntrack.pp
+++ b/modules/ferm/manifests/ftp_conntrack.pp
@@ -1,3 +1,20 @@
 class ferm::ftp_conntrack {
-	ferm::module { 'nf_conntrack_ftp': }
+
+	# Allow non-passive connections to an FTP server
+	@ferm::rule { 'dsa-ftp-conntrack-client':
+		domain      => '(ip ip6)',
+		description => 'ftp client connection tracking',
+		table       => 'raw',
+		chain       => 'OUTPUT',
+		rule        => 'proto tcp dport 21 CT helper ftp'
+	}
+
+	# Allow passive connections from an FTP client
+	@ferm::rule { 'dsa-ftp-conntrack-server':
+		domain      => '(ip ip6)',
+		description => 'ftp server connection tracking',
+		table       => 'raw',
+		chain       => 'PREROUTING',
+		rule        => 'proto tcp dport 21 CT helper ftp'
+	}
 }