Allowing Passive Mode FTP on an OpenVZ VPS with CSF firewall.
Posted on November 13th, 2015
If your VPS runs csf firewall on openvz, you’ll need to open up a passive FTP hole in the firewall. With out it, you may see an error like:
Response: 227 Entering Passive Mode (173,214,161,157,31,147)
Command: MLSD
Error: Connection timed out
Error: Failed to retrieve directory listing
For example, on a cpanel server /etc/csf/csf.conf may show:
# Allow incoming TCP ports
TCP_IN = “20,21,22,25,28,53,80,110,143,443,465,587,993,995,2077,2078,2082,2083,2086,2087,2095,2096”
Edit this file and change the above to:
# Allow incoming TCP ports
TCP_IN = “20,21,22,25,28,53,80,110,143,443,465,587,993,995,2077,2078,2082,2083,2086,2087,2095,2096,50000:51000”
Save the file and restart csf with
csf -r
You are not done yet however. Also edit /etc/pure-ftpd.conf and look for
# Port range for passive connections replies. – for firewalling.
#PassivePortRange 30000 51000
Change to
PassivePortRange 50000 51000
Save this and restart FTP with
/scripts/restartsrv_pureftpd