How to set PassivePortRange and PassiveIP in pure-ftpd on Debian and Ubuntu Linux

If you run a firewall on your Linux server and want to use passive FTP connections, you have to define the passive port range in pure-ftpd and your firewall to ensure that the connections don't get blocked. The following example is for pure-ftpd on Debian or Ubuntu Linux and ISPConfig 3.

Set Passive Port Range in PureFTPD

1) Configure pure-ftpd

echo "40110 40210" > /etc/pure-ftpd/conf/PassivePortRange
service pure-ftpd-mysql restart

2) Configure the firewall. If you use ISPConfig 3 on my server to configure the bastille firewall, you can add the nescessera port range in the ISPConfig firewall settings.

Change the list of Open TCP ports from:

20,21,22,25,53,80,110,143,443,3306,8080,10000

to:

20,21,22,25,53,80,110,143,443,3306,8080,10000,40110:40210

and then click on "Save".

Set Passive IP in PureFTPD

Setting a passive IP in FTP might be necessary when your server is located behind a NAT router. You will get an error like "Error: Server returned unroutable private IP address in PASV reply" from your FTP client in such a case.

To set a passive IP address, run this command:

echo "1.2.3.4" > /etc/pure-ftpd/conf/ForcePassiveIP

Replace 1.2.3.4 with the External IP address that clients shall use to connect to the FTP server. Then restart pureFTPD:

service pure-ftpd-mysql restart

11 thoughts on “How to set PassivePortRange and PassiveIP in pure-ftpd on Debian and Ubuntu Linux”

  1. Avatar

    Debian* instead of Denian in the title, and need to fix the > to > in the first command. Other than that, great mini tutorial.

    Reply
    • Avatar

      Oops, small typo, thank you for your attention!

      Reply
  2. You need to correct the first line of the first command. The Greater than symbol is being output as an unparsed HTML code, I would imagine due to it’s placement in the tag...

    Reply
    • Avatar

      Thanks for the note. The command is displayed correctly now.

      Reply
  3. Avatar

    Tanks man, great tuto 🙂

    Reply
  4. Avatar

    Thx for that short how-to. Just needed the info for pure-ftpd itself. Short and working – perfect. 🙂

    Reply
  5. Avatar

    tried
    sudoecho “40110 40210” > /etc/pure-ftpd/conf/PassivePortRange
    but getting
    -bash: PassivePortRange: Permission denied

    Reply
    • Avatar

      You missed to add a whitespace between the words sudo and echo.

      sudo echo “40110 40210” > /etc/pure-ftpd/conf/PassivePortRange

      Reply
  6. Avatar

    Thanks, I was looking for this all day long.
    It works like a charm. 🙂

    Reply
  7. Avatar

    thanks it works like a charm from out of LAN, then if i try from LAN can not retrieve folder list…

    Reply
  8. Avatar

    Thank you very much! I’m asking myself, why is this not in the official “The Perfect Server – Debian XX (xxxxx) with Apache, BIND, Dovecot, PureFTPD and ISPConfig X.X”? This was a great help!

    Reply

Leave a Comment

*