Cannot make passive FTP connections with other programs


New member
Dec 15, 2019
Dear all,

I've a clean installation of my server and installed DA with Proftpd. This is because I want to use SFTP and followed this guide, which works perfect.. I can make connections via SFTP.

But I cannot connect to FTP sites anymore (scripts in PHP/Python/Wget).

wget ftp://XXXX.txt
--2019-12-15 09:54:26-- ftp://XXX.txt
=> ‘XXX.txt’
Resolving XXX (XXXX)...
Connecting to XXX (XXX)||:21... connected.
Logging in as anonymous ... Logged in!
==> SYST ... done. ==> PWD ... done.
==> TYPE I ... done. ==> CWD (1) /pub_weerberichten ... done.
==> SIZE XXX.txt ... 1402
==> PASV ... couldn't connect to port 49049: Connection refused

So I can connect to the FTP server, but it cannot setup a passive port (which is blocked by the firewall) = 49049

While in my proftpd.conf the following rule exist

PassivePorts 35000 35999 => These ports are opened in the firewall.
Why is (for example) wget not using the 35000-35999 range?

Thanks for helping me out :)

Full config:

ServerName        "ProFTPd"
ServerType              standalone

Port                    0
        Port 21
    AuthUserFile    /etc/proftpd.passwd

PassivePorts        35000 35999
UseReverseDNS        off
TimesGMT        off
TimeoutLogin        120
TimeoutIdle        600
TimeoutNoTransfer    900
TimeoutStalled        3600

ScoreboardFile            /var/run/proftpd/

TransferLog        /var/log/proftpd/xferlog.legacy
LogFormat        default "%h %l %u %t \"%r\" %s %b"
LogFormat        auth    "%v [%P] %h %t \"%r\" %s"
LogFormat        write   "%h %l %u %t \"%r\" %s %b"

#DON'T modify this log format.  Its used by DirectAdmin to determine user usage
LogFormat        userlog "%u %b %m %a"
ExtendedLog        /var/log/proftpd/IP.bytes WRITE,READ userlog

AuthUserFile                    /etc/proftpd.passwd
DefaultServer        on
AuthOrder mod_auth_file.c

#AuthPAM off

<IfModule mod_tls.c>
    TLSEngine on
    TLSLog /var/log/proftpd/proftpd.tls.log
        TLSProtocol ALL -TLSv1 -TLSv1.1
        TLSVerifyClient off
        TLSRequired off
    TLSRSACertificateFile /etc/exim.cert
    TLSRSACertificateKeyFile /etc/exim.key
    #TLSCACertificateFile /etc/ftpd/root.cert.pem

    TLSCipherSuite HIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3

    PassivePorts            35000 35999
    DeferWelcome        on

    RequireValidShell    no

    DefaultRoot        ~
    DirFakeUser on ftp
    DirFakeGroup on ftp

    User            ftp
    Group            ftp
    #UserAlias        anonymous ftp

    AllowStoreRestart    on
    AllowRetrieveRestart    on

    ListOptions        -a

    Umask            022
    DisplayLogin        welcome.msg
    DisplayChdir        readme
    AllowOverwrite        yes
    IdentLookups        off
    ExtendedLog        /var/log/proftpd/access.log WRITE,READ write
    ExtendedLog        /var/log/proftpd/auth.log AUTH auth
    # Paranoia logging level....
    #ExtendedLog    /var/log/proftpd/paranoid.log ALL default

    <IfModule mod_tls.c>
        TLSEngine on
        TLSLog /var/log/proftpd/proftpd.tls.log
        TLSRSACertificateFile /etc/exim.cert
        TLSRSACertificateKeyFile /etc/exim.key

Include /etc/proftpd.sftp.conf


New member
Dec 15, 2019
When I add all ports 1024:65555, then it works. 35000-35999 was already included (as default from DirectAdmin). Does anyone know what other firewall setting is the problem?