Home > Máy tính > CSF firewall for your CPanel VPS and FTP issue

CSF firewall for your CPanel VPS and FTP issue

When you have a CPanel VPS, you may also want to have a way to manage firewall easily and effectively. I found that CSF is a good option here. It is free and has UI integration with Web Host Manager. Its features and performance are not so bad. It is recommended in many VPS forums.


Installation is straightforward: download the package, execute install command.

However after you secure your VPS with CSF, you may encounter following issue when you ftp to the server:

Command:    PASV
Response:    227 Entering Passive Mode (69,73,143,39,137,1)
Command:    MLSD
Error:    Connection timed out
Error:    Failed to retrieve directory listing

That means, your FTP client opens data connection in passive mode and tries to MLSD (list content of a given directory) on server, but it fails. The issue lies between CSF configuration and FTP server configuration: passive ports configured in FTP server are not opened in CSF firewall. So one way to fix is:

1. identify passive ports configured in FTP server

- check your /etc/pure-ftpd.conf (if you use Pure-FTP)

- find this line:

# Port range for passive connections replies. – for firewalling.
PassivePortRange 35000 36000

2. add these ports in CSF at TCP_IN entry

- restart CSF and test FTP again.

This solution can be derived from the point 13 in CSF readme content:

13. A note about FTP Connection Issues

It is important when using an SPI firewall to ensure FTP client applications
are configured to use Passive (PASV) mode connections to the server.

On servers running Monolithic kernels (e.g. VPS Virtuozzo/OpenVZ and custom
built kernels) ip_conntrack and ip_conntrack_ftp iptables kernel modules may
not be available or fully functional. If this happens, FTP passive mode (PASV)
won’t work. In such circumstances you will have to open a hole in your firewall
and configure the FTP server to use that same hole.

For example, with pure-ftpd you could add the port range 30000:35000 to TCP_IN
and add the following line to /etc/pure-ftpd.conf and then restart pure-ftpd:
PassivePortRange 30000 35000

For example, with proftpd you could add the port range 30000:35000 to TCP_IN
and add the following line to /etc/proftpd.conf and then restart proftpd:
PassivePorts 30000 35000

FTP over SSL/TLS will usually fail when using an SPI firewall. This is because
of the way the FTP protocol established a connection between client and server.
iptables fails to establish a related connection when using FTP over SSL
because the FTP control connection is encrypted and so cannot track the
relationship between the connection and the allocation of an ephemeral port.

If you need to use FTP over SSL, you will have to open up a passive port block
in both csf and your FTP server configuration (see above).

Perversely, this makes your firewall less secure, while trying to make FTP
connections more secure.

Hope this solution works for you.

Please share with me your feedback or another solution. Many thanks!

  1. No comments yet.
  1. No trackbacks yet.