Child pages
  • How to Enable FTP Passive Mode
Skip to end of metadata
Go to start of metadata

Overview

This document explains how to use either the active or passive mode to connect to a File Transfer Protocol (FTP) server.

Important:

As of cPanel & WHM version 60, the system enables passive ports for Pure-FTPd servers and ProFTPd servers by default. If you use the CSF firewall plugin, the system also adds passive port ranges to your server's firewall by default.

Active mode vs. passive mode

FTP uses two ports, a data port and a command port, to transfer information between a client to a server. Typically, the command port uses port 21 and the data port uses port 20. When you use a different mode, however, the data port does not always use port 20.

Active

In active mode, the FTP server responds to the connection attempt and returns a connection request from a different port to the FTP client. Network Address Translation (NAT) configurations block this connection request.


 

Passive

In passive mode, the FTP client initiates both connection attempts. NAT configurations do not block this connection request.


Note:

If FTP users exist on the private network side of a NAT configuration, you must enable FTP's passive mode and open the passive port range in your FTP server's configuration file. You may also need to open the passive port range on your firewall.

Configure FTP servers

To configure your FTP server, select the tab below that corresponds to your cPanel & WHM version.

As of cPanel & WHM version 60, the system enables passive ports for Pure-FTPd servers and ProFTPd servers by default. The sections below describe how to edit the default configurations for a Pure-FTPd server and a ProFTPd server.

Pure-FTPd servers

To edit the FTP configuration for a PureFTP server, perform the following steps:

  1. Log in to the server as the root user via SSH.
  2. Open the /var/cpanel/conf/pureftpd/local file, if it already exists, with a text editor. If it does not already exist, create the / var/cpanel/conf/pureftpd/local file.
  3. Add the desired changes to the file. For example, if your FTP server exists behind a NAT configuration, set the  ForcePassiveIP  option to the FTP server's public IP address. This will resemble the following example:

    ForcePassiveIP 192.168.0.1


  4. If you wish to change your server's default passive port range, run the following commands:

    echo "PassivePortRange: 49152 65534" >> /var/cpanel/conf/pureftpd/local
    /usr/local/cpanel/scripts/setupftpserver pure-ftpd --force

    Important:

    If you change the FTP server's passive port range, make certain that you change the range in your server's firewall application as well. To do this, follow the directions in the Configure the firewall section below.

  5. Configure your server to allow the passive ports to pass through the firewall. To do this, follow the directions in the Configure the firewall section below.

  6. Restart the PureFTP service. To do this, run the following command:

    /usr/local/cpanel/scripts/setupftpserver pure-ftpd --force

ProFTPd servers

To edit the FTP configuration for a ProFTPd server, perform the following steps:

  1. Log in to the server as the root user via SSH.

  2. Open the /var/cpanel/conf/proftpd/local file, if it already exists, with a text editor. If it does not already exist, create the / var/cpanel/conf/proftpd/local file.

  3. Make the desired changes. For example, i f your FTP server exists behind a NAT configuration, set the  ForcePassiveIP  option to the FTP server's public IP address. This will resemble the following example:

    ForcePassiveIP 192.168.0.1
  4. If you wish to change your server's default passive port range, run the following commands:

    echo "PassivePortRange: 49152 65534" >> /var/cpanel/conf/proftpd/local
    /usr/local/cpanel/scripts/setupftpserver proftpd --force

    Important:

    If you change the FTP server's passive port range, make certain that you change the range in your server's firewall application as well. To do this, follow the directions in the Configure the firewall section below.

  5. Configure your server to allow the passive ports to pass through the firewall. To do this, follow the directions in the Configure the firewall section below.

  6. Restart the ProFTP service. To do this, run the following command:

    /usr/local/cpanel/scripts/setupftpserver pro-ftpd --force

Configure the firewall

As of cPanel & WHM version 60, the system enables passive ports for Pure-FTPd servers and ProFTPd servers by default. However, you may need to add your FTP server's passive port range to the firewall manually.

CSF

If you use the CSF plugin to manage your server's firewall, open the /etc/csf/csf.conf file and confirm that the passive port range exists at the end of the TCP_IN line. The system adds your FTP server's passive port range to the firewall automatically.

 

For more information about how to install and use CSF, visit the CSF website.

IPTABLES

If you use the IPTABLES application for your FTP server's firewall, perform the following steps to add the passive port range to your server's firewall:

  1. Open the /etc/sysconfig/iptables file with a text editor.

  2. Add an IPTABLES entry for the FTP server. This entry will resemble the following example:

    -A INPUT -p tcp --dport 49152 65534 -m state --state RELATED,ESTABLISHED,NEW -j ACCEPT


  3. After you add this line to the /etc/sysconfig/iptables file, run the following commands:

    iptables -I INPUT -p tcp --dport 49152:65534 -j ACCEPT
    service iptables save

firewalld

If you use the firewalld application for your CentOS 7, CloudLinux™ 7, or Red Hat® Enterprise Linux (RHEL) 7 server, run the following commands to add the passive port range to your server's firewall:

firewall-cmd --permanent --zone=public --add-service=ftp
firewall-cmd --permanent --add-port=49152-65534/tcp
firewall-cmd --reload

Enable the passive port range for Pure-FTPd

To enable the passive port range on a server that uses Pure-FTPd, perform the following steps via the command line as the root user:

  1. With a text editor, open the /etc/pure-ftpd.conf configuration file.
  2. Remove the comment (#) from the beginning of the line that contains the PassivePortRange option.

  3. Set the PassivePortRange option to a port range that is greater than or equal to 1024.

    In the following example, 49152 65534 represents the PassivePortRange option:

    PassivePortRange 49152 65534

    Important:

    We strongly recommend that you configure a large port range so that the server can process many simultaneous passive connections. For example, the Internet Assigned Numbers Authority (IANA) recommends the 49152:65534 port range.

  4. Save the changes to the configuration file.

  5. If your FTP server exists behind a NAT configuration, open the /var/cpanel/conf/pureftpd/main file with a text editor set the ForcePassiveIP option to the FTP server's public IP address.

    Warning:

    We strongly recommend that you only perform this action if your server exists behind a NAT configuration. This option prevents connections to other IP addresses on the server, and connections via domains that resolve to other IP addresses. If you set an IP address for the ForcePassiveIP option, you can only connect to the FTP server via that IP address.

  6. Run the following commands to allow connections through the passive port range of your server's firewall:

    iptables -I INPUT 2 -p tcp --dport 49152:65534 -j ACCEPT
    service iptables save

    Important:

    If your FTP server exists on a CentOS 7, CloudLinux™ 7, or Red Hat® Enterprise Linux (RHEL) 7 server, run the following commands to allow connections through the passive port range that you set:

    firewall-cmd --permanent --zone=public --add-service=ftp
    firewall-cmd --permanent --add-port=49152-65534/tcp
    firewall-cmd --reload
  7. Run the /usr/local/cpanel/scripts/restartsrv_ftpserver command to restart the FTP server.

  8. To make these changes permanent, you must append the passive ports to the configuration file. To do this, run the following commands as the root user:

    echo "PassivePortRange: 49152 65534" >> /var/cpanel/conf/pureftpd/main
    /usr/local/cpanel/scripts/setupftpserver pure-ftpd --force

For more information about how to edit your Pure-FTPd configuration, read our FTP FAQ documentation.

Enable the passive port range for ProFTPd

To enable the passive port range on a server that uses ProFTPd, perform the following steps via the command line as the root user:

  1. With a text editor, open the /etc/proftpd.conf configuration file.
  2. Add the following line to the first section of the configuration file, where 49152 65534 represents the PassivePorts option::

    PassivePorts 49152 65534
  3. If your FTP server exists behind a NAT configuration, add the following additional lines to the configuration file:

    MasqueradeAddress example.com
    MasqueradeAddress 10.3.5.333

    Notes:

    • The MasqueradeAddress lines specify the FTP server's public IP address.
    • example.com represents your FTP server's hostname.
    • 10.3.5.333 represents your FTP server's public IP address.
  4. Save the changes to the configuration file.
  5. Run the following commands to allow connections through the passive port range of your server's firewall:

    iptables -I INPUT 2 -p tcp --dport 49152:65534 -j ACCEPT
    service iptables save

    Important:

    If your FTP server exists on a CentOS 7, CloudLinux 7, or RHEL 7 server, run the following commands to allow connections through the passive port range that you set:

    firewall-cmd --permanent --zone=public --add-service=ftp
    firewall-cmd --permanent --add-port=49152-65534/tcp
    firewall-cmd --reload
  6. Run the /usr/local/cpanel/scripts/restartsrv_ftpserver command to restart the FTP server.

  7. System updates may overwrite these configuration changes. To make these changes permanent, you must append the passive ports to the configuration file. To do this, run the following commands as the root user:

    echo "PassivePorts: 49152 65534" >> /var/cpanel/conf/proftpd/main
    /usr/local/cpanel/scripts/setupftpserver proftpd --force

For more information about how to edit your Pro-FTPd configuration, read our FTP FAQ documentation.

SolusVM and Xen

If you use SolusVM and Xen on a CloudLinux™ server, you may experience problems with passive FTP. These problems may resemble a firewall or other connection issue, even when no firewall exists.

To resolve these issues, perform the following steps:

  1. Replace the IPTABLES_MODULES=ip_conntrack_netbios_ns line in the /etc/sysconfig/iptables-config file on the VPS node with the following line:

    IPTABLES_MODULES=ipt_REJECT ipt_tos ipt_TOS ipt_LOG ip_conntrack ipt_limit ipt_multiport iptable_filter iptable_mangle ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_length ipt_state iptable_nat ip_nat_ftp ipt_owner ipt_REDIRECT
  2. Run the service iptables restart command to restart the iptables service.

Additional documentation