In most cases, passive FTP is needed due to firewalls on the FTP client side which allows the connections to be initiated by the FTP client to the server for both authentications and for data control. By default the passive pot range is configured with this line in /etc/pure-ftpd.conf
PassivePortRange 49152 65534
but if there are external firewalls or software based firewalls that port range will need to be allowed inbound so the FTP client can establish the data control session.
CSF firewall can be managed by directly modifying /etc/csf/csf.conf and changing this line
TCP_IN = "20,21,22,25,53,80,110,143,443,465,587,993,995,2077,2078,2079,2080,2082,2083,2086,2087,2095,2096"
so the port range can be added. The following is what is needed to allow the range from 49152 to 65534.
In the example provided this range would be added at the end to be like the following.
TCP_IN = "20,21,22,25,53,80,110,143,443,465,587,993,995,2077,2078,2079,2080,2082,2083,2086,2087,2095,2096,49152:65534"
Don't copy the example provided just add ,49152:65534 at the end before the closing double quotes. Once added the following can be run to reload that change.
Please keep in mind that firewall modifications aren't something that is performed by cPanel as this is a systems administrator task.
This change can also be made in WHM under the application plugin "ConfigServer Security & Firewall" using the "Firewall Configuration" button, then search for TCP_IN and then add the change followed by clicking "Change" at the bottom and then "Restart csf+lfd".