I have a WireGuard interface I don't trust enough to accept all traffic. But I do want to allow it access to my FTP server. I use vsftpd, and it works very well for my LAN. However I can't get normal port or pasv mode to work from a device connected over WireGuard. The initial connection is fine, but active PORT commands are either rejected, or (if I set port_promiscuous=YES) go off to never never land. PASV connections are rejected.
I added the connection tracker kmod and the following rule:
config rule
option name 'Allow-WGEXT-FTP'
list proto 'tcp'
option src 'WGEXT'
option target 'ACCEPT'
option helper 'ftp'
option family 'ipv4'
option dest_port '21'
...but it seems to have no effect at all.
I am able to work around the problem by limiting vsftpd to a small port range and just accept connections on that entire range:
config rule
option name 'Allow-WGEXT-FTP-Ports'
option family 'ipv4'
list proto 'tcp'
option src 'WGEXT'
option dest_port '10090-10100'
option target 'ACCEPT'
...but this is suboptimal. I want to get the connection tracking working and thus limit the port openings to only what FTP is using.
EDIT: echo 1 > /proc/sys/net/netfilter/nf_conntrack_helper will cause the above connection tracker to function. Is there no way to get this to happen automatically when a helper is specified in LuCI?
EDIT2: The above is considered insecure and a firewall rule is supposed to enable the tracking. But I have the firewall rule, so I'm not sure why FTP connection tracking isn't functioning.
vsftpd config follows:
background=YES
listen=YES
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
check_shell=NO
session_support=NO
#dirmessage_enable=YES
#ftpd_banner=Welcome to blah FTP service.
#syslog_enable=YES
userlist_enable=YES
userlist_file=/etc/vsftpd/userlist
user_config_dir=/etc/vsftpd/users
userlist_deny=NO
user_sub_token=$USER
local_root=/etc/vsftpd/$USER
chroot_local_user=YES
chown_uploads=YES
chown_username=root
pasv_enable=YES
pasv_min_port=10090
pasv_max_port=10100
#port_promiscuous=YES
allow_writeable_chroot=YES