The following web site will redirect you to a very well written article, which will cover the basics of “Passive vs Active” mode functions.
Active FTP vs. Passive FTP, a Definitive Explanation
After FTP connection has been made, The FTP server will generally choose a random port within a certain range to use and tell the client to connect to, but when the firewall is setup to block this port, the connection can not be made and the client times out. Error example below :
[14:55:16] PASV
[14:55:16] 227 Entering Passive Mode (74,86,43,171,13,209)
[14:55:16] Opening data connection to 74.86.43.171 Port: 3537
[14:55:16] LIST -aL
[14:55:37] A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.
Opening the ports on APF
The first step was to tell APF to have a range of ports open for passive FTP connections. You can put in any range you want as long as it doesn’t conflict with another service. For this we’re going to use the range of 35000-35500.
Will be using vi in this How-To. Please see the Basic Guide to Vim
cd /etc/apf; vi conf.apf
Find IG_UDP_CPORTS and add passive ports 35000-35500 to look like :
IG_TCP_CPORTS=”20,21,22,25,26,53,80,110,143,161,443,465,623,993,995,2082,2083,2086
,2087,2095,2096,3306,3389,6666,35000_35500“
Save the file and restart APF with
/etc/init.d/apf restart
Setting up the FTP Server (Pure-FTPD):
Now you need to tell PureFTPd to use those ports for passive connections. Open up the file /etc/pure-ftpd.conf in your editor and look for the following.
# PassivePortRange 30000 50000
Two things to note. One, the setting is commented out and two the range doesn’t match what we opened in APF. So change it to the following.
PassivePortRange 35000 35500
Restart the PureFTP server with
/etc/init.d/pure-ftpd restart
Test the connections and your are done !