How to configure a passive ports range for ProFTPd on a server behind a firewall


2016-11-16 12:39:47 UTC


2017-08-16 16:27:22 UTC


Помогла ли вам статья?

Есть вопросы?

Отправить запрос

How to configure a passive ports range for ProFTPd on a server behind a firewall

Applicable to:

  • Plesk 12.5 for Linux
  • Plesk 12.0 for Linux
  • Plesk 11.0 for Linux
  • Plesk 11.5 for Linux


The PassivePorts directive is used in the /etc/proftpd.conf file to specify a passive ports range. Place it to the Global container as follows:

PassivePorts 57000 58000

See the ProFTPd documentation for more information regarding the PassivePorts directive: .

Next, the ip_conntrack_ftp module should be loaded into the system:

# /sbin/modprobe ip_conntrack_ftp
# lsmod | grep conntrack_ftp
nf_conntrack_ftp       13696  0
nf_conntrack           61684  1 nf_conntrack_ftp

Make sure that the following line exists in the iptables settings:

iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

If the server is behind NAT, the ip_nat_ftp module should also be loaded:

# /sbin/modprobe ip_nat_ftp

To keep the changes after the system boot, the modules should be added into /etc/sysconfig/iptables-config , to the IPTABLES_MODULES line (space-separated).

[root@ ~]# cat /etc/sysconfig/iptables-config | grep IPTABLES_MODULES
IPTABLES_MODULES="nf_conntrack_ftp nf_conntrack ip_nat_ftp"

Please note:

Because the FTP helper modules must read and modify commands being sent over the command channel, they will not work when the command channel is encrypted through use of TLS/SSL.

If it is required to use TLS/SSL for FTP, the only way is to open required ports:

# iptables -A INPUT -p tcp --match multiport --dports 57000:58000 -j ACCEPT
Была ли эта статья полезной?
Пользователи, считающие этот материал полезным: 11 из 34
Еще есть вопросы? Отправить запрос
Войдите в службу, чтобы оставить комментарий.