LogoفارسیFA

How to Enable FTP Passive Mode

This article explains how to enable FTP Passive Mode, the differences between active and passive sessions, how to configure Pure-FTPd and ProFTPD servers, how to adjust NAT-related settings, and how to open passive port ranges in firewalls such as CSF, nftables, firewalld, and iptables. It also covers troubleshooting steps and how to restore missing FTP interfaces in cPanel.

FTP PassiveMode Pure-FTPdProFTPD

~3 min read • Updated Feb 18, 2026

1. Overview


This document explains how to enable FTP Passive Mode and how it differs from Active Mode. Passive mode is essential for servers behind NAT or firewalls, ensuring stable FTP connections.


Important: The system enables passive ports 49152 through 65534 by default for Pure-FTPd and ProFTPD servers.


2. Active vs Passive Mode


Active Mode


In Active Mode, the FTP server responds to the client and attempts to establish a data connection from a different port. NAT and firewalls often block this behavior.


Passive Mode


In Passive Mode, the FTP client initiates both connections. This prevents NAT or firewall interference and is the recommended mode for most environments.


Note: If FTP users are behind NAT, you must enable Passive Mode and open the passive port range in both the FTP server and firewall.


3. Configuring FTP Servers


The following sections explain how to configure Pure-FTPd and ProFTPD servers.


4. Pure-FTPd Configuration


  1. Log in via SSH as the root user.
  2. Create or edit the /var/cpanel/conf/pureftpd/local file.
  3. If the server is behind NAT, set:

ForcePassiveIP: 203.0.113.0

If the server is not behind NAT:


ForcePassiveIP: ~

Important: Only one ForcePassiveIP entry may exist in the configuration file.


Changing the Passive Port Range


echo "PassivePortRange: 49152 65534" >> /var/cpanel/conf/pureftpd/local
/usr/local/cpanel/scripts/setupftpserver pure-ftpd --force

Restart Pure-FTPd


/usr/local/cpanel/scripts/setupftpserver pure-ftpd --force

5. ProFTPD Configuration


  1. Log in via SSH as the root user.
  2. Create or edit the /var/cpanel/conf/proftpd/local file.
  3. If the server is behind NAT, set:

MasqueradeAddress: 203.0.113.0

If the server is not behind NAT:


MasqueradeAddress: ~

Important: Only one MasqueradeAddress entry may exist in the configuration file.


Changing the Passive Port Range


echo "PassivePorts: 49152 65534" >> /var/cpanel/conf/proftpd/local
/usr/local/cpanel/scripts/setupftpserver proftpd --force

Restart ProFTPD


/usr/local/cpanel/scripts/setupftpserver proftpd --force

6. Configure the Firewall


You may need to manually open the passive port range in your firewall.


CSF


Open /etc/csf/csf.conf and ensure the passive port range is included in the TCP_IN line.


Warning: CSF is no longer maintained as of August 31, 2025.


nftables


nft add rule filter INPUT tcp dport 49152-65534 accept
nft -s list ruleset | tee /etc/sysconfig/nftables.conf

firewalld


firewall-cmd --permanent --zone=public --add-service=ftp
firewall-cmd --permanent --add-port=49152-65534/tcp
firewall-cmd --reload

iptables


yum install iptables-services
iptables -I INPUT -p tcp --dport 49152:65534 -j ACCEPT
service iptables save

7. SolusVM and Xen Passive FTP Issues


Some CloudLinux servers using SolusVM and Xen may experience Passive FTP issues. To fix:


IPTABLES_MODULES=ipt_REJECT ipt_tos ipt_TOS ipt_LOG ip_conntrack ipt_limit ipt_multiport iptable_filter iptable_mangle ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_length ipt_state iptable_nat ip_nat_ftp ipt_owner ipt_REDIRECT

service iptables restart

8. Troubleshooting Passive Mode


If a NAT-configured server cannot establish Passive FTP connections, set ForcePassiveIP to ~ to prevent automatic configuration changes.


9. Restore Missing FTP Interfaces in cPanel


If FTP is set to unmanaged mode, cPanel may hide FTP interfaces. To restore them:


mkdir -p /var/cpanel/dynamicui/
touch /var/cpanel/dynamicui/ftp

If the file is removed during updates, recreate it after each upgrade.


Written & researched by Dr. Shahin Siami

Next Article