Thinking how to enable ProFTPD passive ports? Here’s how we do it.
Enabling passive ports helps establish remote connections.
At Bobcares, we often get requests to enable passive ports, as a part of our Server Management Services.
Today, we will have a look at how our Support Engineers enable ProFTPD passive ports.
Why do we configure passive ports for ProFTPD?
Usually, an FTP service uses two ports, a data port, and a control port.
In the active mode, the client establishes the control channel. And the server establishes a data channel. This can be a problem if, the client machine is firewall-protected which denies requests from external connections.
Whereas, in passive mode, the client establishes both the channels. Here, the client requests the server to listen on a port. And the server returns the port number to the client. So the client connects to it. Finally, it creates the data channel and continues.
So, we configure additional port range so that ProFTPD service can run in passive mode.
How we configure ProFTPD passive ports?
Our customers often approach us to configure passive ports for ProFTPD. Let’s see how our Support Engineers do this.
Initially, we connect to the server and check for any already configured passive ports.
If there are no passive ports configured, we do it for them. For this, we create a local config file in the ProFTPD folder.
touch /etc/proftpd.d/local.conf
Later, we open this file and add the passive port range,
<Global>
PassivePorts 49152 65535
</Global>
In most cases, we use the IANA registered port range.
Then we save the changes.
We also enable the required kernel modules. For instance, we enable the nf_conntrack_ftp module, using the command,
/sbin/modprobe nf_conntrack_ftp
If the server uses NAT, then additionally, we need to enable, nf_nat_ftp module.
Then we add the following rule in iptables config file /etc/sysconfig/iptables-config,
IPTABLES_MODULES="nf_conntrack_ftp ip_nat_ftp"
Most importantly, we also ensure to open the passive port in the server firewall. Otherwise, the firewall blocks the external connection from the client. We add the iptables rule as follows,
Thus we configure passive port range in ProFTPD.
Error after enabling ProFTPD passive ports
Sometimes, ProFTPD will not work in passive mode. Our Support Engineers fix this error of our customers.
In this case, we check if the active mode is working or not. If this is working correctly then it is quite simple to fix this error.
The error shows up because of the firewall restriction over the passive ports. So, we edit the iptables config file. Firstly, we open the file.
nano /etc/sysconfig/iptables-config
Then we add the following line,
IPTABLES_MODULES="ip_conntrack_ftp ip_nat_ftp"
Later we restart the iptables service.
service iptables restart
[Still having trouble in configuring passive port range? – We’ll help you.]
Conclusion
So far, we saw how to configure ProFTPD passive ports. Also, we saw how our Support Engineers fixed a related error.
Hi Bobcares team,
we are using proftpd as a ftp server. we enabled passiveports. we are able to access ftp server from office network. but when tried to access the ftp server from outside network we are seeing below exception.
ftp> ls
421 Service not available, remote server has closed connection
we run passive command and run ls. we are not seeing any output. cursor is in hang.
could you please let us know how to overcome the issue.
Hi Prasanth,
Our experts can help you with the issue.we will be happy to talk to you through our live chat(click on the icon at right-bottom).