I’ve just had to configure a VPS server’s Pure-FTP and APF firewall installation to allow for passive FTP connections after getting the following error when trying to connect via FTP:

I won’t open a connection to xxx.xxx.xxx.xxx (only to xxx.xxx.xxx.xxx)

This error was caused by Pure-FTP not being set up to allow for passive connections, so here’s what I had to do to properly configure Pure-FTP and the firewall.

SSH into your server and open the /etc/apf/conf.apf in Vi (using the command: ‘vi /etc/apf/conf.apf’. Find the entry for IG_TCP_CPORTS and add a port as: ‘40000_50000′. Restart your firewall (in the case of APF the command is: ‘apf -r’).

Next you need to set the passive port range for Pure-FTP, in the pure-ftpd.conf file, open this file by running ‘vi /etc/pure-ftpd.conf’. In thi file uncomment out the ‘PassivePortRange’ entry by removing the ‘#’ and then change the listed value to the port range we just set, 40000 50000, so your entry for passive ports will now look like ‘PassivePortRange 40000 50000′. Now restart Pure-FTP by running ’service pure-ftpd restart’, and then run ‘iptables -F’ and you should now be able to FTP into your server using passive mode.

for help with Vi/Vim there is a cheatsheet available here.