How to make firewall work correctly in vyos?

Hello everyone, I am beginner to vyos.

I am designing a firewall for a network, mounted on a VyOS 1.1.8 (I cannot change it to a new version at the moment due to bureaucratic issues) and I’m running into some problems.

The idea of the firewall is:

  • Block everything.
  • Allow only specific ports for general or specific users by list.

Example:

  • Allow HTTP/HTTPS to all users.
  • Allow SSH/FTP to specific users.
  • Block the rest.

My main problem is in the services that use the ports of the listening type (49152-65535), FTP example.

My example code:

set firewall name <<FW-FIREWALL>> default-action 'reject'

set firewall name <<FW-FIREWALL>> rule 10 action 'accept'
set firewall name <<FW-FIREWALL>> rule 10 state established 'enable'
set firewall name <<FW-FIREWALL>> rule 10 state related 'enable'

set firewall name <<FW-FIREWALL>> rule 11 action 'reject'
set firewall name <<FW-FIREWALL>> rule 11 state invalid 'enable'

set firewall name <<FW-FIREWALL>> rule 2100 action 'accept'
set firewall name <<FW-FIREWALL>> rule 2100 destination port '20,21'
set firewall name <<FW-FIREWALL>> rule 2100 source group address-group 'FW-FTP'
set firewall name <<FW-FIREWALL>> rule 2100 protocol 'tcp'
set firewall name <<FW-FIREWALL>> rule 2100 state new 'enable'

set firewall group address-group FW-FTP address '192.168.5.2'

With this code, I can’t make FTP show the listed files, since it uses a listening port. If you added the port range:

set firewall name <<FW-FIREWALL>> rule 2100 destination port '20,21,115,49152-65535'

Works correctly. But I don’t want to open all ports for this reason.

I’ve tried setting the new general connections to accepted:

set firewall name <<FW-FIREWALL>> rule 10 action 'accept'
set firewall name <<FW-FIREWALL>> rule 10 state established 'enable'
set firewall name <<FW-FIREWALL>> rule 10 state related 'enable'
set firewall name <<FW-FIREWALL>> rule 10 state new 'enable'

It works, but I find that it allows everything, making the permission rules meaningless.

It also provides adding the states in the rule, but this does nothing:

set firewall name <<FW-FIREWALL>> rule 2100 action 'accept'
set firewall name <<FW-FIREWALL>> rule 2100 destination port '20,21'
set firewall name <<FW-FIREWALL>> rule 2100 source group address-group 'FW-FTP'
set firewall name <<FW-FIREWALL>> rule 2100 protocol 'tcp'
set firewall name <<FW-FIREWALL>> rule 2100 state new 'enable'
set firewall name <<FW-FIREWALL>> rule 2100 state established 'enable'
set firewall name <<FW-FIREWALL>> rule 2100 state related 'enable'

What would be the correct way for this to work? without the need to allow all ports?

Or what other way can you come up with to improve security?

I have noticed that other services, such as Anydesk, manage to make a connection through 80,443/tcp and through some listening ports it works without problems and I don’t have any rules related to their ports.

But why ftp servers listen on range 49152-65535? Or I got confused?

FTP has been officially assigned ports 20 and 21. If specifically using an “active” connection setting, this means that while a client computer makes the connection request and sends the commands first on port 21, known as the “control port,” a connection to the server on port 20, the “data port,” is also automatically opened to transfer the file data.

If using a “passive” FTP connection setting, the client computer also connects to the server on FTP port 21. However, the server responds with a random port number, in a free range of ports, to use for the data port for file transfers.

For example, your FTP client will open a control channel on port 21 and a data channel on a random high port in the 49152-65535 port range.

I believe the ftp conntrack module is disabled by default. By enabling it you should only have to allow port 21 through the firewall and the conntrack module will take care of the other connections behind the scenes.

set system conntrack modules ftp
commit
save
exit