class ferm::ftp_conntrack {
+ # This also works for jessie hosts, but requires a reboot
+ if (versioncmp($::lsbmajdistrelease, '9') >= 0) {
+ # Allow non-passive connections to an FTP server
+ @ferm::rule { 'dsa-ftp-conntrack-client':
+ domain => '(ip ip6)',
+ description => 'ftp client connection tracking',
+ table => 'raw',
+ chain => 'OUTPUT',
+ rule => 'proto tcp dport 21 CT helper ftp'
+ }
- # Allow non-passive connections to an FTP server
- @ferm::rule { 'dsa-ftp-conntrack-client':
- domain => '(ip ip6)',
- description => 'ftp client connection tracking',
- table => 'raw',
- chain => 'OUTPUT',
- rule => 'proto tcp dport 21 CT helper ftp'
- }
-
- # Allow passive connections from an FTP client
- @ferm::rule { 'dsa-ftp-conntrack-server':
- domain => '(ip ip6)',
- description => 'ftp server connection tracking',
- table => 'raw',
- chain => 'PREROUTING',
- rule => 'proto tcp dport 21 CT helper ftp'
+ # Allow passive connections from an FTP client
+ @ferm::rule { 'dsa-ftp-conntrack-server':
+ domain => '(ip ip6)',
+ description => 'ftp server connection tracking',
+ table => 'raw',
+ chain => 'PREROUTING',
+ rule => 'proto tcp dport 21 CT helper ftp'
+ }
+ } else {
+ ferm::module { 'nf_conntrack_ftp': }
}
}
projects / mirror / dsa-puppet.git / commitdiff