Configuring firewall for cross-zone FTP connections

I would like to configure my firewall so that it whitelists cross-zone FTP connections for some specific machines. I had kmod-nf-nathelper (contains nf_conntrack_ftp and nf_nat_ftp) and kmod-ipt-conntrack-extra (contains xt_helper) installed and added something like this to my /etc/config/firewall:

config rule
	option dest_port '21'
	option src 'lan'
	option dest 'lan2'
	list dest_ip '<some_ip_in_lan2>'
	option target 'ACCEPT'
	list proto 'tcp'
	option name 'Allow-Cross-Zone-FTP'
	option helper 'ftp'
	option family 'ipv4'

However when I run /etc/init.d/firewall restart, I got the following warning:

Warning: fw3_ipt_rule_append(): Can't find match 'helper'

and the rule wasn't showing up in firewall status page, nor could I connect to the FTP server I wish to whitelist (shows "connection refused").

Did I miss something or did I ran into some bugs in firewall3?

Install also iptables-mod-conntrack-extra. It's for iptables -m helper


Thanks. The rule is now actually applied. However the FTP connection still didn't work as expected (still shows "connection refused"). Might need to figure that out as well.

Make sure you can reach the FTP server, e.g. using ping or traceroute.

In addition, post the output from OpenWrt:

iptables-save -c -t raw
1 Like

Likely the option helper 'ftp' part can be omitted. These days ftp clients should support PASV mode which, if i understand it right, does not require special conntrack helper at all.

For some reason the FTP client tries to connect to a randomly opened port and failed because there's no firewall rule that allows it. Because of this I automatically think that I would need some sort of connection trackers.

The server does use PASV mode as verified by Wireshark.

You likely need it to allow #2:

But the conntrack helper rules for transit traffic should work for non-masqueraded zones by default as long as you have installed the related packages and restarted the firewall service.

1 Like