Passive FTP connection does not work after enabling Plesk Firewall

Symptoms

1. Passive FTP connection (plain, non-SSL/TLS) does not work after enabling Plesk Firewall Tools & Settings > Firewall > Enable
2. Cannot list directory when connecting in passive mode:

   # ftp> dir
   227 Entering Passive Mode (192,0,2,2,176,121).
   ftp: connect: Connection timed out

3. Error in /var/log/messages:

   xinetd[2457]: START: ftp pid=4513 from=::ffff:203.0.113.2
   proftpd[4513]: processing configuration directory '/etc/proftpd.d'
   proftpd[4513]: FTP session opened.
   named[3167]: error (network unreachable) resolving

4. Error in /var/log/secure:

   proftpd: pam_listfile(proftpd:auth): Couldn't open /etc/ftpusers
   proftpd[4513]: (203.0.113.2) - USER username: Login successful.

5. passive FTP ports are configured and allowed in firewall
6. nf_conntrack_ftp module listing shows the following:

   # lsmod | grep conntrack_ftp
   #

Cause

nf_conntrack_ftp module is not loaded.

Resolution

1. Log in to Plesk server via SSH

2. Enable the kernel modules in the system:

   Note: Actions that involves kernel modules configuration should be performed on a physical or a virtual machine with full hardware emulation. If a VZ container is used, the same actions should be performed on a hardware node where this VZ container is running.  Contact the hosting provider if access to the hardware node is needed.

   2.1. Add the modules to the configuration file:

   # echo nf_nat_ftp >> /etc/modules-load.d/modules.conf
   # echo nf_conntrack_ftp >> /etc/modules-load.d/modules.conf

   2.2. On CentOS/RHEL, add the modules to the IPTABLES_MODULES line in the /etc/sysconfig/iptables-config file as follows:

   IPTABLES_MODULES="nf_conntrack_ftp ip_nat_ftp"