When attempting to connect to an FTP server, the client fails with an error similar to the following:
227 Entering Passive Mode
Error: Connection Timeout
Description
This error can occur when your firewall is not configured to accept traffic on the passive port range configured on your server.
By default, this range is 49152-65534.
You can confirm this issue via a utility called nmap. Here is the output of the response of the start, end, and a port in the middle of the range.
➜ ~ sudo nmap -Pn --reason -p 49152,55000,65534 xxx.xxx.xxx.xxx
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-11-18 22:16 CST
Nmap scan report for hostname.domain.tld (xxx.xxx.xxx.xxx)
Host is up, received user-set.
PORT STATE SERVICE REASON
49152/tcp filtered unknown no-response
55000/tcp filtered unknown no-response
65534/tcp filtered unknown no-response
Nmap done: 1 IP address (1 host up) scanned in 3.23 seconds
In this output, the firewall is "filtering" packets, rather than a "closed" response showing nothing is actively running on these ports.
You can verify or update the passive port range via the configuration files for your FTP daemon.
ProFTP
The configuration file is located at /etc/proftpd.conf
# grep 'PassivePorts' /etc/proftpd.conf
PassivePorts 49152 65534
Pure-FTP
The configuration file is located at /etc/pure-ftpd.conf
# grep 'PassivePortRange' /etc/pure-ftpd.conf
PassivePortRange 49152 65534
Workaround
You will need to ensure these ports are open in your firewall.
The resulting nmap will show "closed" rather than "filtered" as "closed" means the request is not being dropped by the firewall, and the server can later initiate a service on those ports.
# nmap --reason -p 49152,50000,65534 server-ip
...
PORT STATE SERVICE REASON
49152/tcp closed unknown reset
50000/tcp closed ibm-db2 reset
65534/tcp closed unknown reset
If you are using ConfigServer Firewall, please consult this third-party documentation.
You may also wish to reference this document discussing how to configure your firewall for cPanel services.
Resources
More details on configuring FTP Passive Mode can be found here.
If you continue to have issues even after adjusting these settings, please see our other troubleshooting steps.