Nick Howitt wrote:

You have to change the flexshare definitions in /etc/proftp.d but the webconfig will keep overwriting your changes every time you update a flexshare. You also need to change /etc/proftpd.conf. I don't know if the webconfig will overwrite this but updates may well. It is possible to block the system from overwriting files with (chattr + i ....) but it may have unwanted side effects.

Firewall redirects may be tricky. Although you think of ftp being on port 21, half the exchange is on port 20 unless you go passive. It is a horrible protocol like that. You wouldn't do a port forward to switch the port, but a redirect so a DNAT rule in the POSTROUTING chain. I have a feeling port information is exchanged in the ftp negotiation.

I think, I've solved this problem. 2 mistakes: 1. I was testing external ftp from home computer, but with vpn. Without vpn there was no connection to ftp at all. I've opened ftp port by firewall and connected to 21 and 2121 normally. 2. I was forwarding external 20-21 port to internal 2120-2121 port. After I've changed forward rule to external 20-21 - external 2120-2121 - BINGO! I still thinking do I need to forward 20 to 2120? But I'm not going to experement with it right now.

You have to change the flexshare definitions in /etc/proftp.d but the webconfig will keep overwriting your changes every time you update a flexshare. You also need to change /etc/proftpd.conf. I don't know if the webconfig will overwrite this but updates may well. It is possible to block the system from overwriting files with (chattr + i ....) but it may have unwanted side effects.

Firewall redirects may be tricky. Although you think of ftp being on port 21, half the exchange is on port 20 unless you go passive. It is a horrible protocol like that. You wouldn't do a port forward to switch the port, but a redirect so a DNAT rule in the POSTROUTING chain. I have a feeling port information is exchanged in the ftp negotiation.