FTP Firewall Fix

My IPv6 FTP server was easy to access from within my LAN, but after I got to work, I realized I couldn’t complete a transfer, even in passive mode. In passive mode, the client must be able to initiate a command connection on port 21, but also it must be able to initiative a data connection on some other random unprivileged port. I opened up port 21 of course, but my firewall was blocking all the other ports.

So, I needed to open up some unprivileged ports, but which ones. I suppose I could open up all of them, but that seemed excessive. I believed 1000 ports would be enough. So, in /etc/vsftpd.conf on the ftp server, I set a passive port range of between 10000 and 11000:

pasv_min_port=10000
pasv_max_port=11000

Then I created a rule in the libreCMC firewall router, to allow access to these ports for traffic heading to the FTP server.

Screenshot from 2018-04-23 19-04-48.png

I was confused at first about how to create a rule with a port range rather than just a single port. But it is as simple as putting a range (e.g., 10000-11000) into the port field.

So, now my FTP server is accessible from the Internet in PASV (passive) mode, though still only through IPv6:

ftp://lavender.qlfiles.net or

ftpes://lavender.qlfiles.net (encrypted, through FileZilla).

For a good read on Active vs. Passive FTP, see Active FTP vs. Passive FTP, a Definitive Explanation.

darkstat

The darkstat package in libreCMC is useful as a low resource method of tracking overall bandwidth usage up through the last month. darkstat tracks stats of your network usage on an interface, and displays them as 1 minute, 1 hour, 1 day, and 1 month graphs:

Screenshot from 2018-04-17 19-09-10

It doesn’t seem to use much processing resources, about 1% CPU load on my 300Mhz GL-AR300M router. The LuCi interface does have a nice bandwidth graph display built in, but it only displays a 3 minute window. So, this seems like a useful tool, especially as it does not require much CPU resources and has a package size of only about 40KB.

In theory, you could use this for analysis and logging of traffic, because of the hosts tracking and logging functionality.

Screenshot from 2018-04-17 19-10-11If you click on a host record you get port and protocol information.

Screenshot from 2018-04-17 19-12-04

This is a tricky, though, as darkstat doesn’t index the host information by time. So, you are just getting running totals from since darkstat started. However, you can send POSIX signals to the daemon which will cause it to clear out its host memory tables and/or log the data to a file. The logging though requires some tweaking to the darkstat command line arguments. In libreCMC, the command line arguments are translated to a config file at /etc/config/darkstat. It seems, though, that the config file does not support the logging options, so you would find yourself tweaking the init.d file. And then you would need scripts to send the signals and delete old logs and so forth. Also, you probably would want to tweak the config file some more to filter out traffic on just the local network, or change over to the wan interface. In summary, you could log lots of useful host data, but you’ll have to do some configuration and scripting to get there.

iftop

libreCMC has an iftop package. It is a program which allows you to watch your connections and their bandwidth usage in real time. It does not run in the Web interface, but rather you ssh into the router and run it on the console.

Screenshot from 2018-04-16 17-39-57

It lists the the source and destination of each connection, as well as the bandwidth rate each direction. It also can display bar graphs to give you a visual on the relative bandwidth usage. And it has a few options for sorting and displaying the connections which can be useful.

Screenshot from 2018-04-16 17-27-32.png

It is not useful for long term logging, only for getting a live snapshot view. But it is lightweight, with the package file at about 20KB. So I plan on adding it to all my future builds.

Running it on a libreCMC router, you’ll usually need to carefully pick which interface you want to watch, using the -i option, so you find the connection information you are looking for. E.g., if you want to see the local IPs, you’ll want your LAN interface (maybe called the eth1 interface).

v1.4.3a Builds

Here are all my v1.4.3a builds on one page:

Build Features

See post v1.4.3a Source and NAND build.

TPE-R1100

magnet:?xt=urn:btih:f1c7ae0d5a43a0413f33371aa44c6a57618754f1&dn=librecmc-v1.4.3a-ar71xx-generic-tpe-r1100-squashfs-sysupgrade.bin&tr=udp%3A%2F%2Fmaedhros.qlfiles.net%3A6969

GL-AR150

magnet:?xt=urn:btih:3e69c154d679927cd9837598ba64e45be5457fbd&dn=librecmc-v1.4.3a-ar71xx-generic-gl-ar150-squashfs-sysupgrade.bin&tr=udp%3A%2F%2Fmaedhros.qlfiles.net%3A6969

GL-AR300M (16MB NOR Flash)

magnet:?xt=urn:btih:5a7eb02eecfb2f1413b26d0148d890e88099bcd0&dn=librecmc-v1.4.3a-ar71xx-generic-gl-ar300m-squashfs-sysupgrade.bin&tr=udp%3A%2F%2Fmaedhros.qlfiles.net%3A6969

GL-AR300M (128MB NAND Flash)

magnet:?xt=urn:btih:3c7d5b04180f5711559c1dbac4c3c9002a17b65f&dn=librecmc-v1.4.3a-ar71xx-nand-gl-ar300m-ubi-factory.img&tr=udp%3A%2F%2Fmaedhros.qlfiles.net%3A6969

Note: The NAND Flash image is a factory bin which must be installed from uboot, and clears all the settings. So you must backup and reload your settings to upgrade your image.

Additional Packages

magnet:?xt=urn:btih:8ca346776ae37a613fe9e5c8d13601351b5db3b7&dn=librecmc-v1.4.3a-mips%5F24kc-packages&tr=udp%3A%2F%2Fmaedhros.qlfiles.net%3A6969

  • openvpn
  • luci-app-openvpn
  • opentracker
  • opentracker6

Source Code

magnet:?xt=urn:btih:3c7d5b04180f5711559c1dbac4c3c9002a17b65f&dn=librecmc-v1.4.3a-ar71xx-nand-gl-ar300m-ubi-factory.img&tr=udp%3A%2F%2Fmaedhros.qlfiles.net%3A6969