Skip to main content

FTP Support

FTP is different from most services (like SSH or HTTP) because it does not use just one port.

  • Port 21 (TCP) → control channel (login and commands).
  • Additional ports → data channel (file transfers).

Without special handling, a firewall would block these extra data connections and FTP would not work.

PXF solves this automatically:

  • The Linux module nf_conntrack_ftp is integrated and enabled by default.
  • This module understands the FTP protocol and ensures that data connections related to an FTP session are allowed automatically.
  • That means you only need to allow port 21/tcp for a standard FTP server.

Using FTP with PXF

Open port 21 for FTP control:

pxf allow-port --proto tcp 21
pxf apply

PXF will then automatically allow the related FTP data connections. This works out of the box on RHEL 7/8/9 with both IPv4 and IPv6.

FTPS (FTP over TLS)

FTPS is FTP encrypted with TLS.

  • When TLS is enabled, the firewall cannot read the FTP commands inside the encrypted channel.
  • As a result, the automatic helper cannot detect the passive ports.
  • You must define and open a passive range if FTPS is enabled.

Example for vsftpd.conf or proftpd.conf:

pasv_enable=YES
pasv_min_port=40000
pasv_max_port=40100

Then in PXF:

pxf allow-portrange --proto tcp 40000-40100
pxf apply

Disabling FTPS

If you do not need FTPS (for example, if you only use plain FTP or prefer SFTP over SSH):

  • In vsftpd, set in /etc/vsftpd/vsftpd.conf:

    ssl_enable=NO

  • In cPanel (Pure-FTPd/ProFTPD):

    • Go to WHM → Service Configuration → FTP Server Configuration.

    • Find TLS Encryption Support and set it to Disabled.

    • Save changes and restart the FTP service:

      /scripts/restartsrv_ftpserver

Plain FTP will then work fully automatically with PXF (only port 21 needs to be open).

FTP in cPanel

cPanel supports two FTP servers:

  • Pure-FTPd (default)
  • ProFTPD (alternative)

Both are compatible with PXF.

Configure port range in WHM

  1. Log in to WHM as root.

  2. Navigate to: Service Configuration → FTP Server Configuration.

  3. Look for Passive Port Range.

    • Set it to a fixed, small range (example: 40000–40100).

  4. In PXF, allow the same range:

    pxf allow-portrange --proto tcp 40000-40100
    pxf apply

Disable FTPS in WHM

  1. Go to Service Configuration → FTP Server Configuration.
  2. Find TLS Encryption Support.
  3. Select Disabled.
  4. Save and restart the FTP service.

In Summary

  • Plain FTP (unencrypted): Just open port 21/tcp in PXF. Thanks to the built-in nf_conntrack_ftp module, both active and passive FTP work automatically. ✅
  • Passive FTP: No issues with PXF — it works out of the box when FTP is not encrypted.
  • FTPS (FTP over TLS): The helper cannot read encrypted commands, so you must define a fixed passive range (e.g. 40000–40100) and open it in PXF. ⚠️
  • Simpler and safer option: Disable FTPS or use SFTP (SSH, port 22), which requires no special firewall handling.

👉 In one line: With PXF, plain FTP “just works”; only FTPS requires opening a fixed passive range.