The PassivePorts
directive is used in the file /etc/proftpd.conf
to specify a passive ports range.
-
Connect to the Plesk server via SSH.
-
Create
/etc/proftpd.d/55-passive-ports.conf
file using the following command:# touch /etc/proftpd.d/55-passive-ports.conf
-
Edit file
/etc/proftpd.d/55-passive-ports.conf
in any text editor and place the content below as follows:<Global>
PassivePorts 49152 65535
</Global>Note: Remove PassivePorts directive from
/etc/proftpd.conf
file if the directive is defined inside. -
Specify ports in
/etc/proftpd.d/*
files as well, if needed. See the ProFTPd documentation for more information regarding thePassivePorts
directive. -
Next, the
nf_conntrack_ftp
module should be loaded into the system:# /sbin/modprobe nf_conntrack_ftp
# lsmod | grep conntrack_ftp
nf_conntrack_ftp 13696 0
nf_conntrack 61684 1 nf_conntrack_ftp -
If Plesk Firewall is installed and enabled, specify the port range according to the KB article Unable to connect to FTP in passive mode.
If another firewall is used to manage
iptables
rules, use it to allow the passive ports range.Otherwise, make sure that the following line exists in the
iptables
settings:# iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-
If a server is behind the NAT, the
nf_nat_ftp
module should be loaded:# /sbin/modprobe nf_nat_ftp
In case if FirewallD on CentOS 7 is installed, NAT modules should be added into
/etc/modules-load.d/iptables.conf
# echo nf_nat_ftp >> /etc/modules-load.d/iptables.conf
# echo nf_conntrack_ftp >> /etc/modules-load.d/iptables.confNote: the action which involves kenel modules configuration should be performed on the barebone hardware or in the virtual machine with full hardware emuation.
It the container is used, the same actions should be performed on a hardware node side. -
To keep the changes after a system reboot, the modules should be added to the
IPTABLES_MODULES
line in the file/etc/sysconfig/iptables-config
as follows:# cat /etc/sysconfig/iptables-config | grep IPTABLES_MODULES
IPTABLES_MODULES="nf_conntrack_ftp nf_conntrack ip_nat_ftp"Note: Because the FTP helper modules must read and modify commands being sent over the command channel, they will not work when the command channel is encrypted through use of TLS/SSL.
-
If it is required to use TLS/SSL for FTP, the only way is to open required ports. Use Plesk Firewall extension for this, or add the rules using iptables:
# iptables -I INPUT 2 -p tcp --match multiport --dports 49152:65535 -j ACCEPT
# service iptables saveNote: Ports should be opened on all firewalls in the network.
-
Restart the xinetd service to apply changes:
# service xinetd restart
From: https://support.plesk.com/hc/en-us/articles/213902285