Installing a Firewall (eg: Config Security Firewall/CSF) is one step to hardening security of your webserver. But this come with an issue that CSF block PureFTPd/ProFTPd server, so your FTP client cannot connect to FTP server with passive mode. This is because CSF block the passive connection ports. To enable it you need set the ip range for passive connection, and make sure you are not block it from CSF.
To do that, you need to edit your FTP server configuration.
For PureFTPd:
open /etc/pure-ftpd.conf, and enable this line:
PassivePortRange 30000 35000
For ProFTPd:
open /etc/pure-ftpd.conf, and enable this line:
PassivePorts 30000 35000
Now you need to unblock that port range from CSF. Open CSF Firewall configuration from your WHM, and add that ports in TCP_IN, so it would like this:
TCP_IN: 20,21,22,25,53,80,110,143,443,30000:35000
Now restart both your CSF and FTP server. And once it done, you will able to connect to your FTP server with passive mode
Great tips! Just one thing to add.
Those settings will be overwritten once cPanel updates itself.
To make the settings permanent, make sure you edit /var/cpanel/conf/proftpd/local (or /var/cpanel/conf/pureftpd/local) file too.
https://documentation.cpanel.net/display/CKB/How+to+Enable+FTP+Passive+Mode