ProFTPD Passive Configuration

How many clients do you have ? You'd usually need more than 25 ports for passive usage, maybe twice the number of your clients would be a rule of thumb.

 

Try opening port 20 in your firewall as well - that may help.

 

Are you using an SPI firewall such as APF? If so, there's no need at all to open up ephemeral ports for PASV FTP, as they're allowed due to the existing port 21 connection. IF that is the case, there's also no need to specify the port range in the ftp daemon configuration since any unused ephemeral port will do.

If you're using a non-SPI firewall, do you actually login and then it freezes? If you cannot even login, then the problems are elsewhere since it doesn't enter PASV mode until you've authenticated (IIRC).

 

Why is it that what you say simply doesnt work in this case ??
I have diddled with this on numerous servers off and on for MONTHS ~ my solution at best is to open 35000_36000 in apf and open them and uncomment the pureftp conf to passive connections on 35000 36000 and ftp works as it should - if I remove those ftp runs like its a cobalt raq unit from 1990 HORRIBLE connections dropped ftps and all my customers complain.....
Chirpy yer sposed to be the cpanel god man ~ what gives why do I see in thread after thread you say we shouldnt open these but it wont work any other way ~
Lettuce get to the beef of this at last please can you enlighten me please.

 

I have never had to open a hole in the APF firewall for passive FTP. IF you are having to, you may be blocking static ports that you shouldn't be (i.e. 20 and 21). Also, do make sure you're using the latest APF as recent ones have been very buggy and I have had problems on some servers with the very latest release too. In those cases I've used a different SPI firewall script also without a hole in it.

 

What issues could arise from blocking 21? I changed the default port for ProFTP awhile ago and when I setup APF I went through /etc/apf/conf.apf and removed all instances of 21 and replaced it with my custom port. I also had to unblock 35000_36000.