BuycPanel Blog

BuycPanel Blog

Latest news and updates

Adding FTP Server Passive Port Range to Firewall

Posted by Allura on 24 08 2018.

General Overview
The primary function of FTP is to facilitate the transference of information between the server and the clients. For doing this, it makes use of two kinds of ports, namely- command port and data port. The command port is said to be using port 21 and the data port to be using port 20 during a conventional active mode session. However, when the FTP uses the passive mode session, the data port does not necessarily use port 20 all the while.

Features of passive mode:

 	The clients of FTP make an initiative for connection attempts.
 	The configurations from NAT do not block the requests borrowed from connections.


How to add FTP server’s passive port range to Firewall?
This is a manual procedure. Open /etc/csf/csf.conf file if you wish to manage the server’s firewall by using the CSF plug-in. Make sure that the passive port range is present at the end of TCP_IN…

General Overview

The primary function of FTP is to facilitate the transference of information between the server and the clients. For doing this, it makes use of two kinds of ports, namely- command port and data port. The command port is said to be using port 21 and the data port to be using port 20 during a conventional active mode session. However, when the FTP uses the passive mode session, the data port does not necessarily use port 20 all the while.

Features of passive mode:

  • The clients of FTP make an initiative for connection attempts.
  • The configurations from NAT do not block the requests borrowed from connections.

How to add FTP server’s passive port range to Firewall?

This is a manual procedure. Open /etc/csf/csf.conf file if you wish to manage the server’s firewall by using the CSF plug-in. Make sure that the passive port range is present at the end of TCP_IN line. The FTP server’s passive port range will get added to the firewall by default.

In order to use IPTABLES for the FTP server’s firewall, follow the given steps to add the port range:

  • With the help of a text editor, open /etc/ sysconfig/ iptables file.
  • For your FTP server, add an appropriate IPTABLES entry.
  • After the entry, run the following commands-
  1. Iptables –I INPUT -p tcp  –dport 49152:65534 –j ACCEPT
  2. Save the iptables service.

In case you are making use of the firewall application for adding FTP server’s passive port range, run the given commands:

  • firewall-cmd –permanent –zone=public –add-service=ftp
  • firewall-cmd –permanent –add-port=49152-65534/tcp
  • firewall-cmd –reload

There is a high plausibility of facing problems or connection related issues in case you are using Xen or SolusVM for adding the FTP server to a firewall. However, the same can be avoided by performing few steps:

  1. Replace the IPTABLES_MODULES=ip_conntrack_netbios_nsline in the /etc/sysconfig/iptables-config file on the VPS node.
  2. For restarting the iptables service, run the iptables service restart functionality.

 

For acute instances when your configured server is unable to implement FTP connections in the passive mode to other IP addresses on your server, follow the given steps:

  • In the 66 version of cPanel and WHM, lay down the Force Passive IP option with the given tilde symbol. This will avoid any kind of computerized changes to the files.
    • In the 64 version or earlier of cPanel and WHM, perform the steps stated in the Passive FTP and NAT configuration temporary workaround documentary.