The problem with FTP is, that at some point during the communication, FTP Client and FTP Server "agreee" on using a different port than 21 and 20 TCP. If you use a sniffer you would see that the FTP client sends packets on destination port 21 with source port > 1024. When transfer starts the FTP clients send a port request on which port to use for transfer. In most cases this is source port + 1. With the sniffer, at some point you will see (provided you use normal FTP an not passive) something like this "PORT 12,34,56,78,65,43". This means the client will listen on ip address 12.34.56.78 on Port 16683 for the data channel. (NOTE: the port is the 65,43 pair and is calculated like this: (65x256)+43=16683). Without masquerading, and allowed FTP, I only got this working by additionally open ports 1024-65535. Now, suppose you allow outgoing 20,21 for FTP, you'd also need to open incoming high ports. Unfortunately, this parameter does not seem to work if you do not masquerade, so you need to add a forwarding rule which permits high ports from the outside world. This again leaves those ports always open, not only when FTP sessions needs them. With masquerading, this worked fine: FW_MASQ_NETS="172.19.0.0/16,0/0,tcp,20 172.19.0.0/16,0/0,tcp,21 172.19.0.0/16,0/0,tcp,80" FW_FORWARD_MASQ="0/0,172.19.6.10,tcp,80" FW_TRUSTED_NETS="" FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes" Cheers