Allowing Passive Mode FTP on an OpenVZ VPS with CSF firewall.

If your VPS runs csf firewall on openvz, you’ll need to open up a passive FTP hole in the firewall. With out it, you may see an error like:


Response: 227 Entering Passive Mode (173,214,161,157,31,147)
Command: MLSD
Error: Connection timed out
Error: Failed to retrieve directory listing


For example, on a cpanel server /etc/csf/csf.conf may show:


# Allow incoming TCP ports
TCP_IN = “20,21,22,25,28,53,80,110,143,443,465,587,993,995,2077,2078,2082,2083,2086,2087,2095,2096”


Edit this file and change the above to:


# Allow incoming TCP ports
TCP_IN = “20,21,22,25,28,53,80,110,143,443,465,587,993,995,2077,2078,2082,2083,2086,2087,2095,2096,50000:51000”


Save the file and restart csf with 

csf -r


You are not done yet however. Also edit /etc/pure-ftpd.conf and look for


# Port range for passive connections replies. – for firewalling.
#PassivePortRange          30000 51000


Change to


PassivePortRange          50000 51000



Save this and restart FTP with