My IPv6 FTP server was easy to access from within my LAN, but after I got to work, I realized I couldn’t complete a transfer, even in passive mode. In passive mode, the client must be able to initiate a command connection on port 21, but also it must be able to initiative a data connection on some other random unprivileged port. I opened up port 21 of course, but my firewall was blocking all the other ports.
So, I needed to open up some unprivileged ports, but which ones. I suppose I could open up all of them, but that seemed excessive. I believed 1000 ports would be enough. So, in
/etc/vsftpd.conf on the ftp server, I set a passive port range of between 10000 and 11000:
Then I created a rule in the libreCMC firewall router, to allow access to these ports for traffic heading to the FTP server.
I was confused at first about how to create a rule with a port range rather than just a single port. But it is as simple as putting a range (e.g., 10000-11000) into the port field.
So, now my FTP server is accessible from the Internet in PASV (passive) mode, though still only through IPv6:
ftpes://lavender.qlfiles.net (encrypted, through FileZilla).
For a good read on Active vs. Passive FTP, see Active FTP vs. Passive FTP, a Definitive Explanation.