CSF is a great opensource firewall to use instead of raw IP tables and it includes a WHM add on module for cPanel servers, but getting FTP/TLS or FTP/SSL to run successfully needs a couple of tweaks.
FTP works fine over Port 21 but is not considered that secure.
To get FTP/TLS SSL working you need to open up some more higher numbered ports so FTP can connect, in WHM go to CSF>Firewall Configuration> and allow TCP_In 30000:50000 and TCP_Out 30000:50000 – restart the firewall.
Then you need to edit your ftp server to use these passive ports, so it’s either pure or pro, edit the conf file:
/etc/pure-ftpd.conf
Uncomment the line below:
# Port range for passive connections replies. - for firewalling. PassivePortRange 30000 50000
Restart the FTP Server and all should be ok, make sure that the port range in both the TCP_IN and range in the ftp config are the same.
If the FTP service is still not right it may be that some iptable modules need to be loaded, these are what are iptables are needed for CSF to function:
- ip_tables
- ipt_state
- ipt_multiport
- iptable_filter
- ipt_limit
- ipt_LOG
- ipt_REJECT
- ipt_conntrack
- ip_conntrack
- ip_conntrack_ftp
- iptable_mangle
You can check what IP Table modules are loaded in the command line with:
cat /proc/net/ip_tables_matches