controling access to FTP by source ip and Channel data

hi,

 

the background

 

-i have an irule to control the access to internet from the server side....

 

-i'm using the server 192.168.163.229 to test the irule, so the irule only log events from this ip

 

- i have a vserver server 0.0.0.0:*/0 and a vserver 0.0.0.0:21/0 with ftp profile

 

- the irule is in both vservers.

 

-i have a datagroup type IP to control access where the value are strings like "SnatIPToSet|AllowedPortsDelimitedByComma" (80,21 are the allowed ports for the test server)

 

-the irule just log, for now, the snat and drop command are commented(??? o comentados no se como se dice)

 

 

the problem...

 

-when the server open a ftp connection, the irule allow the traffic to the destination.

 

-when the server send a ls or dir command a new connection is created and the irule drop de connection (because the random port is not defined in the datagroup).

 

-to avoid the last case i try to use the table command to check if an active connection is open when the ls command is sent (and allow the connection)...and keep the key alive touching the record (table lookup) when a new connection to an undefined port is created.

 

 

the questions...

 

-i found a wiki in devcentral that said sometimes the CLIENT_CLOSED is not fired...how is this possible??? (i think my logic will not work if this happen)

 

-there is a diffrent way to control ftp connections??(maybe i'm going in the wrong way)

 

 

the irule...

 

when CLIENT_ACCEPTED {

 

set valor [class match -value [IP::client_addr] equals $::NavControlAndSnat ]

 

if { not ($valor equals "") } {

 

set snataddr [getfield $valor "|" 1]

 

set ports [split [getfield $valor "|" 2] ","]

 

if { [IP::client_addr] equals "192.168.163.229" } {

 

log local0. "i am [IP::client_addr] my snat is $snataddr"

 

}

 

if { [llength $ports ] == 0 } {

 

if { [IP::client_addr] equals "192.168.163.229" } {

 

log local0. "NO PORT RESTRICTION...traffic to TCP [TCP::local_port] or UDP Accepted"

 

}

 

snat $snataddr

 

}

 

elseif { [lsearch -exact $ports [TCP::local_port] ] > -1 } {

 

if { [IP::client_addr] equals "192.168.163.229" } {

 

log local0. "PORT RESTRICCTION ENABLED... traffic to TCP [TCP::local_port] or UDP Accepted"

 

}

 

snat $snataddr

 

if { [TCP::local_port] == 21 } {

 

new ftp connection saving the key to data channels

 

set pairconns [table incr -subtable ftpfw "[IP::client_addr]:[IP::local_addr]"]

 

table timeout -subtable ftpfw "[IP::client_addr]:[IP::local_addr]" 900

 

table lifetime -subtable ftpfw "[IP::client_addr]:[IP::local_addr]" indefinite

 

 

if { [IP::client_addr] equals "192.168.163.229" } {

 

log local0. "OPEN conns $pairconns in pair [IP::client_addr][IP::local_addr] port 21"

 

}

 

}

 

}

 

else {

 

candidato para ser dropped

 

if { [table lookup -subtable ftpfw "[IP::client_addr]:[IP::local_addr]"] > 0 } {

 

if { [IP::client_addr] equals "192.168.163.229" } {

 

log local0. "we found a connection for [IP::client_addr]:[IP::local_addr] pair FTP maybe this is the data channel Accepted"

 

}

 

snat $snataddr

 

}

 

else {

 

if { [IP::client_addr] equals "192.168.163.229" } {

 

log local0. "PORT RESTRICCTION ENABLED... traffic to TCP [TCP::local_port] or UDP Droped"

 

}

 

drop

 

 

}

 

}

 

}

 

else {

 

if { [IP::client_addr] equals "192.168.163.229" } {

 

log local0. "DROP traffic from [IP::client_addr]"

 

}

 

drop

 

}

 

}

 

 

when CLIENT_CLOSED {

 

if { [TCP::local_port] == 21 } {

 

ftp connection clossed decrementing the key

 

set pairconns [table incr -subtable ftpfw "[IP::client_addr]:[IP::local_addr]" -1 ]

 

if { [IP::client_addr] equals "192.168.163.229" } {

 

log local0. "CLOSED conns $pairconns in pair [IP::client_addr][IP::local_addr] port 21"

 

}

 

}

 

}

 

 

thanks and excuse my english