From 7d0f0539fbd015a7391bafd55b4866d58ce2d40a Mon Sep 17 00:00:00 2001
From: Christoph <ckubu@oopen.de>
Date: Tue, 11 Sep 2018 18:43:43 +0200
Subject: [PATCH] Fix error for allowing active ftp connections from local
 network to the internet.

---
 ip6t-firewall-gateway | 6 ++++++
 ipt-firewall-gateway  | 6 ++++++
 2 files changed, 12 insertions(+)

diff --git a/ip6t-firewall-gateway b/ip6t-firewall-gateway
index 44640c8..76b203d 100755
--- a/ip6t-firewall-gateway
+++ b/ip6t-firewall-gateway
@@ -1964,10 +1964,16 @@ if $allow_ftp_request_out ; then
    for _dev in ${ext_if_arr[@]} ; do
       $ip6t -A OUTPUT -o $_dev -p tcp --dport 21 -m conntrack --ctstate NEW -j ACCEPT
       $ip6t -A OUTPUT -o $_dev -p tcp --sport $unprivports --dport $unprivports -m conntrack --ctstate NEW -j ACCEPT
+      # - Allow active FTP connections from local network
+      # -
+      #$ip6t -A INPUT -i $_dev -p tcp --sport 20 -m conntrack --ctstate NEW -j ACCEPT
       if $kernel_forward_between_interfaces && ! $permit_local_net_to_inet ; then
             $ip6t -A FORWARD -o $_dev -p tcp --dport 21 -m conntrack --ctstate NEW -j ACCEPT
             $ip6t -A FORWARD -o $_dev -p tcp --sport $unprivports --dport $unprivports -m conntrack --ctstate NEW -j ACCEPT
       fi
+      # - Allow active FTP connections from local network
+      # -
+      $ip6t -A FORWARD -i $_dev -p tcp --sport 20 -m conntrack --ctstate NEW -j ACCEPT
    done
 
    echo_done
diff --git a/ipt-firewall-gateway b/ipt-firewall-gateway
index d55acf2..ccbd2e5 100755
--- a/ipt-firewall-gateway
+++ b/ipt-firewall-gateway
@@ -2650,10 +2650,16 @@ if $allow_ftp_request_out ; then
    for _dev in ${ext_if_arr[@]} ; do
       $ipt -A OUTPUT -o $_dev -p tcp --dport 21 -m conntrack --ctstate NEW -j ACCEPT
       $ipt -A OUTPUT -o $_dev -p tcp --sport $unprivports --dport $unprivports -m conntrack --ctstate NEW -j ACCEPT
+      # - Allow active FTP connections from local network
+      # -
+      #$ipt -A INPUT -i $_dev -p tcp --sport 20 -m conntrack --ctstate NEW -j ACCEPT
       if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then
             $ipt -A FORWARD -o $_dev -p tcp --dport 21 -m conntrack --ctstate NEW -j ACCEPT
             $ipt -A FORWARD -o $_dev -p tcp --sport $unprivports --dport $unprivports -m conntrack --ctstate NEW -j ACCEPT
       fi
+      # - Allow active FTP connections from local network
+      # -
+      $ipt -A FORWARD -i $_dev -p tcp --sport 20 -m conntrack --ctstate NEW -j ACCEPT
    done
 
    echo_done