How to configure a passive ports range for ProFTPd on a server behind a firewall


2016-11-16 12:39:47 UTC


2017-08-16 16:27:22 UTC


Was this article helpful?

Have more questions?

Submit a request

How to configure a passive ports range for ProFTPd on a server behind a firewall

Applicable to:

  • Plesk 12.5 for Linux
  • Plesk Onyx for Linux
  • Plesk 11.x for Linux
  • Plesk 12.0 for Linux


How to configure passive ports range for ProFTPd on a server behind a firewall?

Or ProFTPD ignores PassivePorts directive.


The PassivePorts directive is used in the /etc/proftpd.conf file to specify a passive ports range. Connect to the server using SSH and place it to the Global container as follows:

PassivePorts 57000 58000

Specify ports in /etc/proftpd.d/* files as well, if needed. See the ProFTPd documentation for more information regarding the PassivePorts directive.

Next, the ip_conntrack_ftp module should be loaded into the system:

# /sbin/modprobe ip_conntrack_ftp
# lsmod | grep conntrack_ftp
nf_conntrack_ftp 13696 0
nf_conntrack 61684 1 nf_conntrack_ftp

If Plesk Firewall extension is installed , specify the port range according to the resolution in Unable to log in to FTP server: 530 Login incorrect

In another way, make sure that the following line exists in the iptables settings:

# iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

If the server is behind NAT, the ip_nat_ftp module should also be loaded:

# /sbin/modprobe ip_nat_ftp

To keep the changes after the system boot, the modules should be added to the IPTABLES_MODULES line (space-separated) in the file /etc/sysconfig/iptables-config :

# cat /etc/sysconfig/iptables-config | grep IPTABLES_MODULES
IPTABLES_MODULES="nf_conntrack_ftp nf_conntrack ip_nat_ftp"

Note: because the FTP helper modules must read and modify commands being sent over the command channel, they will not work when the command channel is encrypted through use of TLS/SSL.

If it is required to use TLS/SSL for FTP, the only way is to open required ports, save iptables rules:

# iptables -A INPUT -p tcp --match multiport --dports 57000:58000 -j ACCEPT
# iptables-save

Restart xinetd service to apply changes:

# service xinetd restart

Have more questions? Submit a request
Please sign in to leave a comment.