Getting passive FTP connections to work through a firewall properly (VPS and Dedi common problem)

Introduction:

So you installed a firewall, but it seems to have crippled passive ftp connections. Your clients are complaining of timeouts and lagging performance of the FTP server. All these are signs that you did not configure your firewall and FTP server properly for passive FTP connections.

This how-to will try to explain everything in a manner that even if you are not using the mentioned software, you still will have an understanding of what you must do. This how-to will cover the following setup:
Firewall: APF
FTP Server: Pure-FTPD

What is a Passive FTP Connection?

When a client connects to a FTP server and requires the transfer of a file or data, he must initiate another connection. A passive FTP connection is where the client connects to the server instead of the server connecting to him. This is necessary when the client is hidden behind a firewall or router of some sort and is unable to forward the correct ports to his machine.


What happens when the server is behind a firewall as well?

Since the client must connect to the server, there must exist an accessible port for the client to use other than port 21. The FTP server will generally choose a random port within a certain range to use and tell the client to connect to, but when the firewall is setup to block this port, the connection can not be made and the client times out.

So what can we do about this?

The firewall can be configured to leave a certain port range open for the FTP server. Then the FTP server must be configured to know which ports to use, this range is often refered to as the 'passive port range'.
Setting up the firewall: (APF Firewall) 1. Open your APF configuration file with your favorite editor. This configuration file is usually located at: /etc/apf/conf.apf

Ie.
vi /etc/apf/conf.apf
2. Select a port range to use for the passive FTP connection, and find the line that looks like this:
IG_TCP_CPORTS="20, 21, 22, 25, 53, 80, 110, 143, 443,
465, 993, 995, 2082, 2083, 2086, 2087, 2095, 2096, 3306"

If this list of ports already includes a port range above 20000, then you can skip onto configuring your FTP Server, but remeber the range listed. (20000 to 30000 would be written as 20000_30000)

3. Add the port range to the end of the line and within the quotation marks("). Remeber each port/port range is seperated by a comman(,), and a port range between 35000 to 36000 is written as 35000_36000 .

Ie.
IG_TCP_CPORTS="20, 21, 22, 25, 53, 80, 110, 143, 443,
465, 993, 995, 2082, 2083, 2086, 2087, 2095, 2096, 3306,
35000_36000"

3. Save and restart your firewall.

To restart your firewall:
/etc/init.d/apf restart



Setting up the FTP Server (Pure-FTPD):

There are two different config files your server may use. If you are using CPanel, then most likely it is located here:
/etc/sysconfig/pure-ftpd

If you are unable to find that file, or if your FTP Server is setup to read a conf file, then most likely it is located here:
/etc/pure-ftpd.conf


Using: /etc/sysconfig/pure-ftpd

Look for a line containing: -p or --passiveportrange

If you do find it and it has been commented out with a '#' character then remove the '#' character in front of it.

Now just check that the port range listed is correct. Remeber, port ranges listed here have a ':' character between the numbers, while APF has a '_' character.

Ie. (if the port range is 35000 to 36000 and appears as 35000_36000 in the APF config file then it should look like this)
--passiveportrange 35000:36000
or
-p 35000:36000
If you do not find it, then go to the end of the file, and add:
--passiveportrange
followed by the port range you had in the APF firewall config file, except replace the '_' character with a ':'.

So if the port range is 35000 to 36000 and appears as 35000_36000 in the APF config file, then you want to add 35000:36000.

Ie. (port range from 35000 to 36000)
--passiveportrange 35000:36000
When done, save the file and restart your FTP server.

Ie.
/etc/init.d/pure-ftpd restart

Using: /etc/pure-ftpd.conf

Look for a line containing: PassivePortRange

Ex.
# Port range for passive connections replies. - for firewalling.

#PassivePortRange 30000 40000


If there is a leading '#' character, remove it.

If the port range is incorrect, change it. The port range here has an actual space between the numbers, not a '_' character.

Ie. (previous example becomes this)
# Port range for passive connections replies. - for firewalling.

PassivePortRange 35000 36000


Now save the file and restart your FTP server.

Ie.
/etc/init.d/pure-ftpd restart

  • Email, SSL
  • 114 Users Found This Useful
Was this answer helpful?

Related Articles

Internal server error with 777 chmodded folders and files

For PHP applications to access MySQL databases or upload (write) files to site folder(s), the...

Can I host adult content on your web hosting?

Yes, as long as it's legal adult material (no child porn or weird things).

Can you install a script on my account?

Yes, we can install any standard script for a one time fee of 15$. Most scripts can be...

Can you transfer my website from my old web hosting company?

For us to be able to move your website from your old web hosting company we will need the...

Do you do backups?

Yes, daily on all shared and reseller accounts! Vps and dedicated server's backups are client's...

 
Our official partners