I needed to set up a vsftpd server recently but I needed it running behind a NAT firewall. I set up port 21 in the port forwarding table. And it didn’t work. That’s because on Ubuntu 8.10 Intrepid Ibix the vsftpd config defaults to passive mode. I tried changing it to active mode but could not get that to work either. Since passive mode is recommended for vsftpd I went back to trying to make passive mode work. I needed to change vsftpd.conf to set the value of pasv_address to my public static IP address. Then in addition to forwarding port 21 I also needed to forward all of the ports in the range between pasv_min_port and pasv_max_port (inclusive) as defined in vsftpd.conf. In my case that was ports 32000-32127.

After adding that range to the port forwarding table in the NAT firewall it works great. You can increase or decrease the range of the passive ports and you can move it around in the port numbering space to suit your needs.