How to Open Ports for Passive FTP in CSF (Configserver Firewall & Security)

When attempting to connect to an FTP server, the client fails with an error similar to the following:

 

227 Entering Passive Mode
Error: Connection Timeout

 

Description

This error can occur when your firewall is not configured to accept traffic on the passive port range configured on your server.

By default, this range is 49152-65534.

If you are using CSF on cPanel/WHM, it may be necessary to unblock the port range needed by the default FTP client, Pure-FTPd.

  1. To unblock those ports, log in to WHM.
  2. Once inside, go to Plugins.
  3. In plugins, click on Configserver Firewall & Security.
  4. Once there, click on Firewall Configuration.

Find the setting TCPIN and TCP_OUT in the list, and add the following to each: 49152:65534

The TCP_IN and TCP_OUT fields are comma-separated, but you can put the range above as a single value, so by default, the last port to open is 2096, so you would add the new one as 2096, 49152:65534

Click Change at the bottom. On the next screen, click Restart CSF + LFD.

Was this helpful?

0 / 0