FTP Rules in Firewall are apparently wrong

Hello All,

I was advised by a very knowledgable fellow forum member(anav) on a different thread that was related to Wireguard that my FTP setup is incorrect and I need to resolve this. I decided to keep the wireguard issue and ftp issue separate and start a separate thread about his comments about my FTP setup.

I’m sure anav is fed up with my questions and lack of understanding that he probably doesn’t have the energy to deal with me anymore. so I am reaching out to all you clever people to try and help me as a beginner to mikrotik understand his recommendations.

WHAT I AM TRYING TO ACHIEVE (it is currently working fine with my set up)
I use the USB storage port on my RB5009 for a 1TB nvme drive so that I can FTP files from a WAN server on to this device for backup purposes. It is the most convenient solution for me so that I do not have to set up a dedicated FTP server somewhere on my LAN. The router already has one so why not use it (that’s my logic anyway).


The fellow forum member commented that the following rules do not make any sense:

add action=accept chain=input dst-port=21 in-interface-list=WAN log=yes
log-prefix="FTP - " protocol=tcp src-address-list=
allow_hostprovider_traffic

add action=accept chain=input dst-port=21 in-interface-list=WAN log-prefix=
"FTP - " protocol=tcp src-address-list=
allow_uptime_robot_traffic

He additionally commented the following:

If you are attempting FTP for example, the input chain is NOT used for this… One uses the dstnat chain. One rule is used in the forward chain to allow port forwarding in general.To make that port forwarding rule clear, remove this default.

add action=drop chain=forward comment=
“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN

Replace with
add action=accept chain=forward comment=“internet traffic” in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment=“remote users to LAN” in-interface=Wireguard1 dst-address=10.0.0.0/24
add action=accept chain=forward comment=“port forwarding” connection-nat-state=dstnat
add action=drop chain=forward comment=“drop all else”

As you can see, he stated that the input chain is not used for this purpose and yet the USB storage device is connected directly to the router. It’s not a device on the LAN where the traffic needs to be forwarded on the forward chain.

He further commented the following about the setup.

What you have done is open up an un-encrypted a path to the configuration door of your router by every hacking bot in the world that searches on port 21. The only thing protecting the config is your user name and password (plain text) which is easily defeated by AI and quickly.
Suggest the first you do is unplug the router and netinstall a fresh copy.

I am a little confused at his comments because I feel his suggestion of wiping the entire router just to fix 2 firewall rules seemed very extreme to me. Additionally, the two rules are also limited by the src address list containing the source IPs only and in my mind that means that the only IPs that can connect to the router through these firewall rules are the ones I specified in the src address list. So how can “every hacking bot in the world that searches on port 21” have access to the router if they are not on the specified address list?

Have I so grossly misunderstood how src address lists work?

In my mind it stands to reason that if I want to upload files to this connected storage device on the router itself from the WAN, there needs to be a firewall rule on the input chain so that the traffic can be directed straight to the router where the USB device is connected to.

So are anav’s comments suggesting a better solution to the one I already have? Keep in mind that the firewall rules for the FTP service is limiting the src addresses to ONLY the devices that are allowed to FTP files to the server.

Anav’s point about using dstnat and the forward chain is because, even though your USB storage is connected directly to the router, the typical approach for accessing internal services from the WAN is through port forwarding rather than opening the router’s input chain. By using dstnat and setting up port forwarding, you’re adding an extra layer of security that stops direct exposure of your router’s ports, especially port 21, which is heavily targeted by bots and other scanning tools.

Ah thank you for explaining but isnt the src address list also protecting the router seeing as though the only IPs that can access port 21 are those in the src address list?

It is indeed, though IP spoofing is possible.

Couple of things:
FTP can be run active and passive (if memory serves me well).
Active means that the other site has to have port 20 open, passive would require an additional range of ports open on the router.

The reason for advising to netinstall is that your router might be compromised. Did you use a different user for FTP other then a default user (like admin)? Did you remove the admin account from this router to make it a bit more secure? And what rights does this user have?

And at last, do you have an option to use FTP over VPN (like Wireguard)? That would be an improvement on securing this router?

All excellent questions that I wish was asked of me when the comments were made so I could clarify my situation
To give you answers to them here they are

The reason for advising to netinstall is that your router might be compromised.

I highly doubt it’s been compromised because it has only been online for a few days.

Did you use a different user for FTP other then a default user (like admin)? Did you remove the admin account from this router to make it a bit more secure? And what rights does this user have?

Yes I created a separate user for FTP and applied a new group to it that only has FTP access and read/write access.
Additionally the main admin account was disabled immediately before it even went online and I created a completely different user for the admin user.

And at last, do you have an option to use FTP over VPN (like Wireguard)? That would be an improvement on securing this router?

Unfortunately no. Believe me I would if I could but it’s not possible as my hosts server from where I send the backups does not have that facility built in.

You just “…grant[ed] write access to the router’s configuration…” to that FTP user.

I realize that just above this on the same page it says you need ftp+write to allow FTP uploads, but I’m hoping that applies only when the upload target is the internal flash. If it applies to your USB storage situation, too, you’ve tied the security of your router to that host list; if the remote host is ever compromised, your router is next.

Atop all this, you persist in trying to “secure” FTP by policy while ignoring its huge MITM exposure.

Please stop running with scissors. Use an inherently secure protocol.

You say the remote host can’t WG out to the router, but could it run an OpenSSH server, allowing the router to connect, initiate the backup, then pull it down over SFTP? That would be far more secure and doesn’t rely on router-side security policies to be so.

but I’m hoping that applies only when the upload target is the internal flash. If it applies to your USB storage situation, too, you’ve tied the security of your router to that host list; if the remote host is ever compromised, your router is next.

This is true but again, how is one supposed to do this using FTP without having read/write access? Why does the router even have an FTP service if we simply should never use it? Why does the MT team make this available to us just so we can be told, leave it alone!

I’m not TRYING to be irresponsible. I am a beginner and that is the reason I am posting in the beginner section and that is also the reason I am using a mikrotik so I can learn all these things from all you wonderful and knowledgeable people.

But sometimes I just get the impression that everyone here expects the people that are posting in the beginners section to just know everything and understand everything and have all the knowledge that all of you have. We don’t have your experience and knowledge!! That is why we lean on you for guidance and I have NEVER said I won’t take guidance but it can be done in a respectful way.

Atop all this, you persist in trying to “secure” FTP by policy while ignoring its huge MITM exposure.

Please stop running with scissors. Use an inherently secure protocol.

You say the remote host can’t WG out to the router, but could it run an OpenSSH server, allowing the router to connect, initiate the backup, then pull it down over SFTP? That would be far more secure and doesn’t rely on router-side security policies to be so.

I’m not persisting on doing anything either. I am only trying to achieve what I need to achieve using the tools at my disposal.

I don’t appreciate being treated like a child here. I am only trying to learn. I haven’t argued with anyone here. I am only telling you why things are the way they are. If they are wrong, you are welcome to correct me and tell me how to reconfigure things but please do it without a condescending tone.

I also haven’t IGNORED MITM exposure. I didn’t even know what that is until you mentioned it. Remember…I am a beginner!

Where is the patience for newcomers to Mikrotik?

Look, my host uses cPanel. If you are familiar with cPanel, then you will know that cPanel only has 2 options for transferring backup files through their interface. FTP and SCP It doesnt have openSSH or wireguard.

The tools at my disposal are what cPanel offers me through my host and then the destination is the Mikrotik. There is no VPN option from cPanel side so my hands are tied.

I have tried using the SCP but I keep hitting a wall where the mikrotik is blocking the ports. So I tried setting it up with SCP but struggled.

I would LOVE to get the SCP working as it is encrypted at least but I struggled and defaulted back to FTP.

Please, try be patient!

At a guess, it’s because of a combination of RouterOS being a quarter century old and that it isn’t always used across the open Internet.

Just because a feature is present doesn’t mean it is wise to use it in all situations.

Why does the MT team make this available to us just so we can be told, leave it alone!

Why does Black & Decker make circular saws only for others to come along and tell us to stop using them to trim trees, atop ladders?

I’m not TRYING to be irresponsible.

Fine, but when several people in a row tell you you’re going down a foolish path, take a hint. Don’t dig your heels in and repeatedly justify your prior decision. You say you’re here for guidance? Be guided.

I am only trying to achieve what I need to achieve using the tools at my disposal.

So get better tools.

Yes, I’m aware of the old adage about a poor craftsman blaming his tools, but that is premised on the idea of the object in question being classed as a “tool” in the first place, and then second on it being fit to purpose.

A rock may be wielded as a tool, but it’s a poor hammer. It is not wrong to chastise the cabinetmaker for repeatedly ignoring good advice not to use a rock to hammer in nails, resulting in a lot of dents and blood on the panels. A better craftsman may have been able to pull that stunt off with the rock, but that doesn’t make following their lead a good idea.

I have owned two hammer-shaped objects in my life that did not qualify as “hammers” by my lights. One was made entirely of plastic, sold as “weight-saving” for use by hikers in pounding in tent stakes, and the other bent at the neck on the first day I used it pulling out nails. If you tell me I’m a poor craftsman for citing these poor results on attempting to use these hammer-shaped objects as a hammer, we’re going to have words.

I don’t appreciate being treated like a child here.

You can’t have it both ways; flying the flag of posting in the Beginner’s section, then getting upset on being told you’ve made an ignorant choice. The childish reaction is ignoring good advice from people who know better and who have been there and done that. The adult reaction is giving up preconceptions when given this solid advice.

please do it without a condescending tone.

I’m willing to learn, too, so please, tell me, when I find someone setting up an extremely insecure configuration, how should I have phrased my warning instead, given that my goal was to be heard and heeded?

I also haven’t IGNORED MITM exposure. I didn’t even know what that is until you mentioned it. Remember…I am a beginner!

Fine; now you’ve been told. What are you going to do about that? Dig in your heels, or change your plan?

Where is the patience for newcomers to Mikrotik?

You’re reacting as if this is the first time you’ve been told “don’t do that,” but counting the prior thread, it’s, what, the fourth? There’s a limit to patience.

cPanel only has 2 options…and SCP…It doesnt have openSSH

SCP is based on OpenSSH. It’s outdated compared to SFTP, but it’s far better than FTP.

… or wireguard.

That might not be true. If the cPanel host is running a sufficiently recent Linux kernel, you may be able to drop to a root shell and set up a Wireguard tunnel beneath cPanel. My old scars remind me that cPanel does often fight CLI-level changes, but this is beyond its ability to meddle.

Alternately, you might be able to set up a reverse tunnel instead.

I have tried using the SCP but I keep hitting a wall where the mikrotik is blocking the ports

First, be certain of the strength of your passwords, and only then say:

/ip firewall filter
add place-before=0 protocol=tcp dst-port=22 \
    action=accept chain=input in-interface-list=WAN

Better, set up SSH keys and use those exclusively.

I would LOVE to get the SCP working as it is encrypted

It’s not merely that it’s encrypted, but that:

1. It’s encrypted using state-of-the-art crypto. (Those that fail to understand this distinction are also likely to believe PPTP still counts as a safe VPN technology.)
2. It’s got strong anti-spoofing measures built in. If you lose the keys on one side, you can avoid compromise if you pay attention to the warning that the other side has changed. (If both sides’ keys are stolen, you’re hooped, and if you’re the sort to yes-yes-yes through all dialogs, you’re double-hooped.)
3. It supports use of generated keys plus optional passphrases, with storage of same in an “agent,” a far stronger arrangement than any reasonable password.
4. Its designers avoided FTP’s 2-connection design botch.
5. Its designers avoided FTP’s ASCII-by-default design botch.

It isn’t even a close race. SCP is miles and miles ahead of FTP.

Please, try be patient!

I’m trying, but it would help if you would show any sign that you’re willing to take good advice and not offer repeated justifications for why it has to be done the way that multiple forum members have told you not to.

Which is more likely: you’re working on the right solution and merely need to find the right way to express it, or every one of us opposing this plan of yours is wrong?

The former … because everybody is jealous seeing the great plan of @OP and nobody else ever thought of going that way.

BTW, great post … full of patience

I have not dug my heels in. I don’t even understand why people are saying that.

But whatever. I think you guys are being very hard on newcomers like me.

Sorry I bothered to reach out and ask the community.

@OP
your reaction shows you are still not getting the hints.
You keep presenting a state of mind “Everyone is against me, what are they all doing wrong”.
Not sure how it’s called on your side of the world (where ever you are) but in my area that would be classified as “the Calimero-complex”.
(use Google translate)
https://nl.wikipedia.org/wiki/Calimerocomplex

You’d be better of instead to accept the feedback (perceived hard or not, feedback has been presented to you by multiple persons) and learn from it.
Use it as an opportunity to learn !
But you keep on hammering the same nail while multiple people told you it might be better for various reasons not to proceed that way.

A learning process involves hitting the wall, evaluate what has happened (alone or with help from others) and learn from it so you don’t hit that wall again.
But you seem to keep going full steam for that same wall over and over again …

And then we are the ones being hard and insensitive ? Ok.

@tangent:
hats off for that response.
Too bad there is no reputation system on this board because that one would have given you lots of green.

Where did I say you were all wrong with your guidance? I simply said I didn’t understand.

The reason I was frustrated in the thread about WIREGUARD is because the replies were detracting from the context of the post. The post was about WIREGUARD not being able to see shares on the network. Not the entire security config set up of my entire router. I simply asked in that thread to please stay on topic.

I also simply asked what the point of an FTP service was if we can’t use it.

Where did I dig my heels in to tell you all that you are wrong and I am right?

All I referred to was the fact that the manner in which people here are providing information is very judgemental and impatient in a forum of newcomers.

But let’s agree to disagree.

Outright, never, but you’ve now taken this crusade up three different places*, a sign that you’re seeking approval to go on doing what you originally planned to do in the face of good advice. Then when people get annoyed, you get defensive.

what the point of an FTP service was if we can’t use it.

It’s completely insecure, thus unfit for your stated purpose.

(* = Two threads here, and now on Discord.)

I disagree with how you have perceived the situation but let’s leave it there. I managed to get assistance on discord.

All sorted now.

Thanks for all the input you all gave. Sorry I have not been a worthy newcomer.

Ciao.