Jun 092010

From theserverpages.com

So you installed a firewall, but it seems to have crippled passive ftp connections. Your clients are complaining of timeouts and lagging performance of the FTP server. All these are signs that you did not configure your firewall and FTP server properly for passive FTP connections.

This how-to will try to explain everything in a manner that even if you are not using the mentioned software, you still will have an understanding of what you must do. This how-to will cover the following setup:

Firewall: APF
FTP Server: Pure-FTPD

What is a Passive FTP Connection?
When a client connects to a FTP server and requires the transfer of a file or data, he must initiate another connection. A passive FTP connection is where the client connects to the server instead of the server connecting to him. This is necessary when the client is hidden behind a firewall or router of some sort and is unable to forward the correct ports to his machine.

What happens when the server is behind a firewall as well?
Since the client must connect to the server, there must exist an accessible port for the client to use other than port 21. The FTP server will generally choose a random port within a certain range to use and tell the client to connect to, but when the firewall is setup to block this port, the connection can not be made and the client times out.

So what can we do about this?
The firewall can be configured to leave a certain port range open for the FTP server. Then the FTP server must be configured to know which ports to use, this range is often refered to as the ‘passive port range’.

Setting up the firewall: (APF Firewall)
1. Open your APF configuration file with your favorite editor. This configuration file is usually located at: /etc/apf/conf.apf

vi /etc/apf/conf.apf

2. Select a port range to use for the passive FTP connection, and find the line that looks like this:

IG_TCP_CPORTS="20, 21, 22, 25, 53, 80, 110, 143, 443, 465, 993, 995, 2082, 2083, 2086, 2087, 2095, 2096, 3306"

If this list of ports already includes a port range above 20000, then you can skip onto configuring your FTP Server, but remeber the range listed. (20000 to 30000 would be written as 20000_30000)

3. Add the port range to the end of the line and within the quotation marks(“). Remeber each port/port range is seperated by a comman(,), and a port range between 35000 to 36000 is written as 35000_36000 .

IG_TCP_CPORTS="20, 21, 22, 25, 53, 80, 110, 143, 443, 465, 993, 995, 2082, 2083, 2086, 2087, 2095, 2096, 3306, 35000_36000"

3. Save and restart your firewall.

To restart your firewall:
/etc/init.d/apf restart

Setting up the FTP Server (Pure-FTPD):
There are two different config files your server may use. If you are using CPanel, then most likely it is located here:

If you are unable to find that file, or if your FTP Server is setup to read a conf file, then most likely it is located here:


Using: /etc/sysconfig/pure-ftpd

Look for a line containing: -p or –passiveportrange

If you do find it and it has been commented out with a ‘#’ character then remove the ‘#’ character in front of it.

Now just check that the port range listed is correct. Remeber, port ranges listed here have a ‘:’ character between the numbers, while APF has a ‘_’ character.

Ie. (if the port range is 35000 to 36000 and appears as 35000_36000 in the APF config file then it should look like this)
--passiveportrange 35000:36000
-p 35000:36000

If you do not find it, then go to the end of the file, and add:
followed by the port range you had in the APF firewall config file, except replace the ‘_’ character with a ‘:’.

So if the port range is 35000 to 36000 and appears as 35000_36000 in the APF config file, then you want to add 35000:36000.

Ie. (port range from 35000 to 36000)
--passiveportrange 35000:36000
When done, save the file and restart your FTP server.

/etc/init.d/pure-ftpd restart

Using: /etc/pure-ftpd.conf

Look for a line containing: PassivePortRange

# Port range for passive connections replies. - for firewalling.

#PassivePortRange 30000 40000
If there is a leading ‘#’ character, remove it.

If the port range is incorrect, change it. The port range here has an actual space between the numbers, not a ‘_’ character.

Ie. (previous example becomes this)
# Port range for passive connections replies. - for firewalling.

PassivePortRange 35000 36000

Now save the file and restart your FTP server.

/etc/init.d/pure-ftpd restart

Regarding Filezilla settings…
Here are the filezilla settings in screen shots which allowed me to connect successfully after modifying the ftp server with the above settings…
all of the other filezilla settings are set to their respective defaults…

The Filezilla client information:

FileZilla Client

Version: 3.3.3-rc1

Build information:
Compiled for: i486-pc-linux-gnu
Compiled on: i486-pc-linux-gnu
Build date: 2010-06-08
Compiled with: gcc (Ubuntu 4.4.3-4ubuntu5) 4.4.3
Compiler flags: -g -O2 -Wall -g -fexceptions

Linked against:
wxWidgets: 2.8.10
GnuTLS: 2.8.5

Operating system:
Name:Linux 2.6.32-22-generic i686
Version: 2.6


p.s. To the Filezilla admin that runs the forums…. yea, we all know we should RTFM as that is the pat answer you state over and over again in EVERY SINGLE FUCKING POST… we get it… but as usual, it doesn’t answer the question that is posted over and over again regarding this issue. When the software was updated with the newer and better MLST command, the least you could do is provide more complete details regarding setting the software up to work correctly. I for one like and use it constantly, or did until it stopped working because of the update. Of course, the software could never be the issue here, you point out to everyone;

-MLSD is only used on servers that are advertising MLSD support. So if MLSD fails as seen in the log, it’s clearly a broken router and/or firewall
-many personal firewalls and consumer routers are flawed or in some cases, are even actively sabotaging FTP
-you might want to try to uninstall your firewall to see what happen
-try to connect directly to the internet without a router
-changing the listening port.
-could be files in public_html where the server hangs at, maybe files with “special” characters

and my favorite personal…
-Definitely not the fault of FileZilla. There is some broken router and/or firewall sabotaging the connection. Please read the Network Configuration guide.

This goes on and on, in post after post, finally someone from another site posted a configuration without all the miscellaneous assumption and unfortunately, no reference to your tl;dr networking guide.

I really hate to rant about this, but when such a simple issue is clouded with minutia and bullshit so thick it occludes the issue entirely, it pisses me off…

 Posted by at 6:47 am