OK, then here's the problem. For some reason, the Washington University FTP server (wuftpd) that Apple uses requires some additional configuration when behind a NAT router. This is inherit to wuftpd, whether or not it is used on Mac OS X Server. Here's how to configure the service to accept requests originating from a NAT router:
1. Using Server Admin, stop the FTP service, then open the /Library/FTPServer/Configuration/ftpaccess file using pico (via Terminal or SSH) or locally using a text editor. You'll need to su to root to edit the file or log in at the server as root.
2. Look for an entry with the text "passive address" - edit it or add it such that it reads:
passive address router-ext-IP 0.0.0.0/0, replacing router-ext-IP with your router's public IP address.
Look for an entry with the text "pasv-allow" - edit or add it to read like this:
pasv-allow all router-local-IP/24, replacing router-local-IP with the local IP address of the router. The "/24" is the subnet mask: 24 bits or three octets (bytes) "covered" or "1'd out". In each octet, the subnet mask is subtracted from 255 (11111111 binary) to return an allowed IP address range. Thus, "/24" is 255.255.255.0.
Here's an example: pasv-allow all 10.0.1.1/24
Look for an entry with the text "port-allow", and edit it similarly, following the same rules as with pasv-allow:
port-allow all router-local-IP/24.
3. You can also add or edit the "passive ports" line to specify ports to use; otherwise, those will be chosen randomly. FTP operates in two modes: "port" which uses TCP ports 20 and 21, and "passive" or PASV which picks a port. If you want to use passive, you should narrow down the range of passive ports so that those can also be PAT forwarded to your server.
Don't worry - the first time I configured wuftpd behind a NAT router it took me several hours! I found this web site to be particularly helpful, and it's my source for this suggestion:
http://articles.involution.com/linksysftp.php
--Gerrit
