How to configure the passive ports range for ProFTPd on a Plesk server behind a firewall

Kuzma Ivanov

Updated March 06, 2025 06:35

kb: how-to Plesk for Linux ABT: Group B FR:PPM-1905

Applicable to:

Plesk for Linux

Question

How to configure the passive ports range for ProFTPd on a server behind a firewall?

Answer

Note: When configuring the passive port range, a selected port range must be in the non-privileged range (e.g., greater than or equal to 1024). It is strongly recommended that the chosen range should be large enough to handle many simultaneous passive connections. The default passive port range is 49152-65535 (the IANA registered ephemeral port range).

Connect to a server via SSH.
Run the command below to check if the passive port range is configured in the FTP server:

# sed -n '/\<Global/,/\/Global/p' /etc/proftpd.conf /etc/proftpd.d/* | grep PassivePorts

If the command returns the same output as below, the passive port range is set up in ProFTPd configuration. Continue to step 3.

CONFIG_TEXT: PassivePorts 49152 65535

If no output is returned, configure the passive port range:

2.1. Create the /etc/proftpd.d/55-passive-ports.conf file using the following command:

# touch /etc/proftpd.d/55-passive-ports.conf

2.2. Open the /etc/proftpd.d/55-passive-ports.conf file in a text editor. In this example, we use the vi editor:

# vi /etc/proftpd.d/55-passive-ports.conf

2.3. Paste the content below in the file:

CONFIG_TEXT: <Global>
PassivePorts 49152 65535
</Global>

2.4. Save the changes and close the file.
Enable the kernel modules in the system:

Note: Actions that involves kernel modules configuration should be performed on a physical or a virtual machine with full hardware emulation. If a VZ container is used, the same actions should be performed on a hardware node where this VZ container is running.

3.1. Enable the nf_conntrack_ftp module:

# /sbin/modprobe nf_conntrack_ftp

3.2. If the server is behind the NAT (private IP address is configured in the system), enable the kernel nf_nat_ftp module as well:

# /sbin/modprobe nf_nat_ftp

3.3. Verify the changes:

# lsmod | grep nf_nat_ftp
nf_nat_ftp 16384 0
nf_conntrack_ftp 20480 1 nf_nat_ftp
nf_nat 32768 1 nf_nat_ftp
nf_conntrack 131072 3 nf_conntrack_ftp,nf_nat_ftp,nf_nat

3.4. To keep the changes after a system reboot, apply these steps:
- Add the modules to the /etc/modules-load.d/modules.conf file with these commands:
  
  # echo nf_nat_ftp >> /etc/modules-load.d/modules.conf
  # echo nf_conntrack_ftp >> /etc/modules-load.d/modules.conf
- On CentOS/RHEL-based distributions, add the modules to the IPTABLES_MODULES line in the /etc/sysconfig/iptables-config file as follows:
  
  # cat /etc/sysconfig/iptables-config | grep IPTABLES_MODULES
  IPTABLES_MODULES="nf_conntrack_ftp ip_nat_ftp"
Restart the FTP related service using one of the command below (depends on server OS) to apply the changes:

# service xinetd restart

# systemctl restart proftpd.socket
Open the passive ports range in a firewall:

Note: If there is an intermediate firewall between a Plesk server and the Internet, make sure that the passive port range is allowed in its configuration as well. Contact your Internet Service Provider for assistance.

To open the ports in a local firewall, follow these steps:
Opening the passive port range using Plesk Firewall
Note: If Plesk Firewall is not installed, use this installation guide.
1. Log in to Plesk and go to Tools & Settings > Firewall and click Enable Firewall Rules Management.
2. Once Firewall Rules Management is enabled, Look for the FTP server passive ports rule. If the rule exists, you are ready to go.
  
  Note: In Plesk Onyx 17.8 which was not upgraded from previous versions, the FTP server passive ports rule is already installed. Just make sure this rule is enabled.
  
  If the rule does not exist, create it:
  
  2.1. Click Modify Plesk Firewall Rules.
  
  2.2. Click Add Custom Rule.
  
  2.2. Configure the rule:
  - Rule name: FTP server passive ports
  - Match direction: Incoming
  - Action: Allow
  - In the Add port or port range field, specify the configured passive port range 49152-65535 and select the TCP option.
  2.3. Click OK to create the rule.
  
  2.4. Next, click Apply Changes.
Opening the passive port range via a command-line interface
- on CentOS/RHEL-based distributions:
  
  # iptables -I INPUT 1 -p tcp --dport=49152:65535 -j ACCEPT
  # service iptables save
- on Debian/Ubuntu-based distributions:
  
  # iptables -I INPUT 1 -p tcp --dport=49152:65535 -j ACCEPT
  # iptables-save > /etc/iptables/rules.v4

Screenshot_2018-10-10_Plesk_Onyx_17_8_11_4_.png
(8 KB)
Screenshot_2018-12-07_Plesk_Onyx_17_8_11.png
(50 KB)
Screenshot_2018-12-07_Plesk_Onyx_17_8_11_1_.png
(50 KB)
Screenshot_2019-04-17_Plesk_Onyx_17_8_11.png
(3 KB)
Screenshot_2018-10-10_Plesk_Onyx_17_8_11.png
(9 KB)
Screenshot_2018-10-10_Plesk_Onyx_17_8_11_1_.png
(10 KB)

Comments

2 comments

HIS Support
January 21, 2025 15:30

On Alma 9, restart FTP with:
# systemctl restart proftpd.socket

0
Senaka Rathnayake
March 16, 2025 06:13

Suddenly my working connection was down. now i cannot connect any FTPS server from my server. This is the error message. Could you please help me to fix this issue?
Error: Unable to access the storage: Transport error: unable to list directory: Curl error: (18) Transferred a partial file: The last FTP request: LIST: The last FTP response: 425 Unable to build data connection: Operation not permitted
Make sure you have entered the correct storage settings. You can check them independently with the command:
curl -v --ftp-pasv --ssl -k -u servers@myftp.remoteserver.com 'ftp://x.x.x.x/./'
I have whitelisted remote server IP from all firewall, (plesk firewall,imunufy, and bitninja)

0

Please sign in to leave a comment.