The article is a quick guide on tightening Pure‑FTPD’s passive mode by setting a limited port range and the correct IP address in Ubuntu servers. It walks through locating or creating the per‑option files under /etc/pure-ftpd/conf, writing a narrow range like 2020-2100 to keep firewalls simple, and specifying the public or LAN address so clients can reach the data channel. After updating those files the guide reminds you to restart Pure‑FTPD, verify the new values with grep, and then enable the chosen ports in ufw or your router. A real‑world example illustrates how a blanket deny rule caused timeouts until the passive range and IP were set correctly, showing that proper configuration restores smooth file transfers.

Tuning Pure‑FTPD’s Passive Port Range & IP on Ubuntu – A Quick Fix

If your FTP client is stuck in a timeout loop or you’re trying to get it behind a strict firewall, setting PassivePortRange and PassiveIP can make the difference between smooth transfers and endless “connection lost” errors. Below are the steps I use on my own server (Ubuntu 22.04) to lock down those values and keep both clients and firewalls happy.

What’s the Problem?

Pure‑FTPD will, by default, open any available high port for passive mode. That means a firewall must allow traffic from roughly 1024 up to 65535 – a wide net that most routers will block or be unwilling to keep track of. Worse, if your server sits behind NAT, the client might see an IP address it can’t reach unless you tell Pure‑FTPD what public IP to advertise.

Step 1 – Find the Config Directory

On Ubuntu the per‑setting files live in /etc/pure-ftpd/conf.

You’ll find one file for each option that exists in pureftpd.conf.

ls /etc/pure-ftpd/conf | grep -E 'PassivePortRange|PassiveIP'

If the files aren’t there, create them.

Step 2 – Set the Passive Port Range

Pick a tight range that your firewall can open.

I usually go 2020‑2100 because it’s narrow enough to stay in one rule and wide enough for most clients.

echo "2020-2100" | sudo tee /etc/pure-ftpd/conf/PassivePortRange > /dev/null

A narrower range makes firewall configuration trivial (just open 20 ports instead of a half‑million) and reduces the attack surface for port‑scanning bots.

Step 3 – Tell Pure‑FTPD Which IP to Publish

If your server has multiple network interfaces or sits behind NAT, you must advertise the public address that clients can actually reach.

echo "203.0.113.42" | sudo tee /etc/pure-ftpd/conf/PassiveIP > /dev/null

Replace 203.0.113.42 with your real public IP (or the internal interface if you’re on a LAN).

If you forget this, clients will receive an IP like 192.168.x.x and then fail to connect to the data channel.

Step 4 – Restart Pure‑FTPD

sudo systemctl restart pure-ftpd

Check that the files are in effect:

sudo grep -R . /etc/pure-ftpd/conf | grep -E 'PassivePortRange|PassiveIP'

You should see your new values.

Step 5 – Open the Ports on Your Firewall

If you’re using ufw (the default on Ubuntu), allow the range:

sudo ufw allow 2020:2100/tcp
sudo ufw reload

On a router, forward only those ports to your server’s internal IP.

Some routers will let you specify a port range; if not, open each port individually – it’s still fewer than the default.

Real‑World Scenario

I once had an FTP client that kept timing out after my friend installed ufw with a blanket deny rule and forgot to add the passive range. The client would connect but never start transferring data. Once I set both PassivePortRange and PassiveIP, the transfer resumed in seconds, and the firewall logs stopped spamming me with “connection refused” entries.

Quick Checklist

• [ ] /etc/pure-ftpd/conf/PassivePortRange set to a narrow range
• [ ] /etc/pure-ftpd/conf/PassiveIP points to your public or LAN IP
• [ ] Pure‑FTPD restarted
• [ ] Firewall allows the chosen port range

That’s it. Your FTP client should now connect, advertise the right address, and use ports that your firewall knows about.