Passive FTP workaround for Plesk’s proftpd

Add the following line:
PassivePorts 49152 65534
to /etc/proftpd.conf
NOT /etc/proftpd.include as that file will be overwritten by Plesk regularly.

No need to restart xinetd (/etc/init.d/xinetd restart) as proftpd is executed only when a connection has been attempted on the port.

Add the following line:
/sbin/iptables -A INPUT -p tcp –dport 49152:65534 -j ACCEPT
to /usr/local/psa/var/modules/firewall/

That’s all!
Just need to make sure that the last incoming traffic rule is set to deny all.

Valid for Plesk 7.5.

7 thoughts on “Passive FTP workaround for Plesk’s proftpd

  1. A better way is using the ip_conntrack_ftp kernel module with

    /sbin/modprobe ip_conntrack_ftp.

    This fixed the passive ftp problem without manual changes of firewallrules under plesk.

  2. Make sure if you place the PassivePorts 49152 65534 that you place it between the tags and not just anywhere.

  3. Of course this is only when YOUR firewall is blocking passive http://FTP... it does nothing for when it is your end user. In this case just modify proftpd.conf and run /usr/local/psa/admin/bin/ftpmng –reconfigure-all.

    Then again, why would YOUR firewall be blocking FTP that is going OUT from YOUR server? That’s grossly illogical in an enterprise production environment (or any other, save an anecdotal one).

Leave a Reply

Your email address will not be published. Required fields are marked *

Anti-Spam by WP-SpamShield