Can't get FTP helper to work

I have a WireGuard interface I don't trust enough to accept all traffic. But I do want to allow it access to my FTP server. I use vsftpd, and it works very well for my LAN. However I can't get normal port or pasv mode to work from a device connected over WireGuard. The initial connection is fine, but active PORT commands are either rejected, or (if I set port_promiscuous=YES) go off to never never land. PASV connections are rejected.

I added the connection tracker kmod and the following rule:

config rule
        option name 'Allow-WGEXT-FTP'
        list proto 'tcp'
        option src 'WGEXT'
        option target 'ACCEPT'
        option helper 'ftp'
        option family 'ipv4'
        option dest_port '21'

...but it seems to have no effect at all.

I am able to work around the problem by limiting vsftpd to a small port range and just accept connections on that entire range:

config rule
        option name 'Allow-WGEXT-FTP-Ports'
        option family 'ipv4'
        list proto 'tcp'
        option src 'WGEXT'
        option dest_port '10090-10100'
        option target 'ACCEPT'

...but this is suboptimal. I want to get the connection tracking working and thus limit the port openings to only what FTP is using.

EDIT: echo 1 > /proc/sys/net/netfilter/nf_conntrack_helper will cause the above connection tracker to function. Is there no way to get this to happen automatically when a helper is specified in LuCI?
EDIT2: The above is considered insecure and a firewall rule is supposed to enable the tracking. But I have the firewall rule, so I'm not sure why FTP connection tracking isn't functioning.
vsftpd config follows:

background=YES
listen=YES
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
check_shell=NO
session_support=NO
#dirmessage_enable=YES
#ftpd_banner=Welcome to blah FTP service.
#syslog_enable=YES
userlist_enable=YES
userlist_file=/etc/vsftpd/userlist
user_config_dir=/etc/vsftpd/users
userlist_deny=NO
user_sub_token=$USER
local_root=/etc/vsftpd/$USER
chroot_local_user=YES
chown_uploads=YES
chown_username=root
pasv_enable=YES
pasv_min_port=10090
pasv_max_port=10100
#port_promiscuous=YES
allow_writeable_chroot=YES

Since you do not use TLS you can employ
kmod-nf-nathelper

I had already installed the kmod and it's loaded:

nf_conntrack           94208 10 nf_nat_ftp,nf_conntrack_ftp,nft_redir,nft_nat,nft_masq,nft_flow_offload,nft_ct,nf_nat,nf_flow_table,nf_conntrack_netlink
nf_conntrack_ftp       16384  3 nf_nat_ftp
nf_conntrack_netlink   40960  0 

Which is why I'm not sure why it's not working. In general you're not supposed to need to globally turn on connection tracking with echo 1 > /proc/sys/net/netfilter/nf_conntrack_helper, all you're supposed to need is the kmod and the nft rule, both of which I have.

I'm stumped.

You need to assign helper manually to wan interface.

If you have any insights on that, I'd appreciate it.

Go to luci firewall, edit wan zone below, there in conntrack settings disable automatic assignment and check box next to ftp helper.

Oh, perfect. Thanks! I learned something new about LuCI. I've never had to do that before, and I didn't even know that tab existed.

Why it didn't pick it up automatically from the rule I made, I don't know, but manually assigning it works.

1 Like

"automatic" means only NAT helper, not local helper.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.