hey,
i try to access on internet on my local ftp server and i don't work, exept if wan input parameter is "accept"
for the firewall, i have configured :
config rule
option name 'TEST FTP'
option target 'ACCEPT'
list proto 'tcp'
option src 'wan'
option dest_port '21'
with the firewall parameter, connect is ok, but not listed directory :
do you have idea ?
thanks
it's a PASV mode transfer, set the client to PORT mode, or open/allow PASV ports in the FW.
hey 
yes, i use vsftpd
what is ?
why is possible for me connect if firewall input is acept whit no packtage ?
because the connection is established on port 21, then switched to a different port afterwards.
the latter is in your case, blocked by the fw.
pasv_enable — When enabled, passive mode connects are allowed.
The default value is YES.
pasv_max_port — Specifies the highest possible port sent to the FTP clients for passive mode connections. This setting is used to limit the port range so that firewall rules are easier to create.
The default value is 0, which does not limit the highest passive port range. The value must not exceed 65535.
pasv_min_port — Specifies the lowest possible port sent to the FTP clients for passive mode connections. This setting is used to limit the port range so that firewall rules are easier to create.
The default value is 0, which does not limit the lowest passive port range. The value must not be lower 1024.
https://web.mit.edu/rhel-doc/5/RHEL-5-manual/Deployment_Guide-en-US/s1-ftp-vsftpd-conf.html
my actual .conf file
background=YES
listen=YES
anonymous_enable=YES
anon_root=/mnt/sda1/
local_enable=YES
write_enable=YES
local_umask=022
check_shell=NO
#dirmessage_enable=YES
#ftpd_banner=Welcome to blah FTP service.
session_support=NO
#syslog_enable=YES
#userlist_enable=YES
#userlist_deny=NO
#userlist_file=/etc/vsftpd/vsftpd.users
#xferlog_enable=YES
#xferlog_file=/var/log/vsftpd.log
#xferlog_std_format=YES
###
### TLS/SSL options
### example key generation: openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/vsftpd/vsftpd_privkey.pem -out /etc/vsftpd/vsftpd_cert.pem -subj /C="DE"/ST="Saxony"/L="Leipzig"/CN="OpenWrt"
#ssl_enable=YES
#allow_anon_ssl=NO
#force_local_data_ssl=NO
#force_local_logins_ssl=NO
#ssl_tlsv1=YES
#ssl_sslv2=NO
#ssl_sslv3=NO
#rsa_cert_file=/etc/vsftpd/vsftpd_cert.pem
#rsa_private_key_file=/etc/vsftpd/vsftpd_privkey.pem
ok is the solution
to vsftpd.conf add :
pasv_enable=YES
pasv_max_port=20005
pasv_min_port=20000
port as you want.
and firewall :
config rule
option name 'TEST FTP'
option target 'ACCEPT'
list proto 'tcp'
option src 'wan'
option dest_port '21'
config rule
option name 'TEST FTP'
option target 'ACCEPT'
list proto 'tcp'
option src 'wan'
option dest_port '20000 20001 20002 20003 20004 20005'
last question,
i have reserved 5 ports, but is realy need 5 ports ? 1 port = 1 client ?
maybe juste 1 port work perfectly for multiple user conected simultany ?
trial and error ?
I think two should suffice, one in each direction, but I might be wrong.
Bare in mind, if you kill the client, without logging out, those ports will
be allocated to your old session, until a inactivity time out is reached.
.... or disable it, and skip the PASV mode.
for best secure, pasv must enable or disable ?
if you want, test with 2 ports only
well, PASV will require more ports to be opened in the FW, but FTP passwords are sent
over internet in clear text anyway, so two extra open ports probably won't make any difference.
ok, thank you, is very fast for help
you really should swap to something more secure though.
You don't actually need to explicitly open extra ports.
Firewall conntrack can do it automatically as linked above.
you have another software ? very light ?
I don't know openwrt well but I'm trying to learn
conntrack open all port need on many service ? wireguard , SSH , ftp and other ?
if me need ftp not many time for exemple, how to desactivate ?
thank
Many protocols can work with built-in conntrack features.
But some like FTP require special care, check out package descriptions:
ok thank you, add on my bookmark for later,
for this moment, juste try to add user on ftp whit no root access and read only ^^