Secure FTP connection is not working in Plesk if external firewall is used

Symptoms

• External firewall is used.
• Secure FTP connection is not working in Plesk if external firewall is used:

  CONFIG_TEXT: 425 Unable to build data connection: Connection timed out

• nf_conntrack_ftp module is loaded and its possible to connect to the server via FTP in passive mode if non secure connection is used:

  # lsmod | grep ftp
  nf_conntrack_ftp 18638 0
  nf_conntrack 133053 6 nf_nat,nf_nat_ipv4,xt_conntrack,nf_conntrack_ftp,nf_conntrack_ipv4,nf_conntrack_ipv6

Cause

When secure FTP connection is used nf_conntrack_ftp is not working.

External firewall can not open ports because information that FTP server passes to the client is encrypt. 

Resolution

1. Open needed passive port range in external firewall

2. Open the file /etc/proftpd.conf in any text editor and place the content below to the Global section as follows:

   <Global> 
   ...
   ...
   PassivePorts 49152 65535
   </Global>

   Note: Starting from Plesk Onyx, passive ports can be defined in /etc/proftpd.d/55-passive-ports.conf file.

3. Restart xinetd service to apply changes:

   # service xinetd restart