-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 2017-12-05 14:38, Paolo wrote: > > FTP is always "special" ... :-) > > [...] > > What am I missing? > > I don't think it matters, but the natted FTP server is a CentOS 7.x > with ProFTPd.
http://www.proftpd.org/docs/howto/NAT.html You have to tell your ftp server which passive ports should be used. You have to open (forward) all of these ports because you cannot know which port will be selected for the specific connection. Helpers like ip_conntrack_ftp don't support encryption. It is enough to open only port 21 + ( 2 additional passive ports) * parallel connections. I.e. if you only need to support 5 concurrent FTP connections, set "PassivePorts 60000 60010" and open/forward port 21 and 60000-60010. But keep in mind: If you get 6 or more concurrent connections, these connection will fail without a user friendly error message. So either allow more connections to be sure and/or enforce user limits in addition. - -- Regards, Thomas Deutschmann / Gentoo Linux Developer C4DD 695F A713 8F24 2AA1 5638 5849 7EE5 1D5D 74A5 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQKTBAEBCgB9FiEEM8WEgsQCKS0uPFwGlwn5DDyW/8gFAlonWchfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDMz QzU4NDgyQzQwMjI5MkQyRTNDNUMwNjk3MDlGOTBDM0M5NkZGQzgACgkQlwn5DDyW /8hKbxAAoibuaH7XDATL3IVBldMaJZBVVwZ+qcJ16eN7Q0Hxp4UJEsp1j353hfaP og28lIujIbxZ+grjluYMLFrsEcm0lvtcz/97yBiNhQDPLYCYv2XzT+2BV/w/GzJr gDmMxyAMWyL15tM0d3nWTdO20oWlYXc20Do6rUbTec5lu3lfwwiPUNl6qCCq6r38 qdoyIGAQJ1jAZ9WedM4Xg90RjKf/iMFotnhK4zf/I3k9GX8CfWUM7Khn8tChU4SD 8Jph4v/CwTwOGsXzi6LGjNawE4c3jNyr1ETdsX6YJOgTemlPVEVDCItcsJaxQCDr Poq040B34nuibreTo74VFZJ5xG/0sRDFi+rj3CLodsCLpWRrKID7Tof2Qevw4uss ctR9JT81E6M9WObxYGZevMJ5MSPmphkWde0lVSI++68ZisX4z36njljQMh+Joahk V3es7X6uQk57FiLN31oowl561J04bh5IHNiNJ0Wk4rnXIdbwIsVmDggaisB4AaX5 ZVSczl2L3QLtkMe2s2Crn2+08f0z8dpC5PmrSgoxMZGfmrTeqCZt01QoUymIxCrH KSL6YHJ2KAXlYfuKn7tQv1jFNkk6UxERTtgIT88UMIVH74ejS+hE40JdzO4gB5dp l+tETH8cLHPZ9GTDVQ8/prgC85m8QYEo6WMWiJdq71k+TQkKeVY= =LRH2 -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users