> > and, worse, since the control channel is encrypted, this can't be done > > via a port monitor that sniffs and modifies 'port' commands, so this > > causes problems at BOTH ends of a NAT > > Could it be that the iptables ftp conntrack and nat modules does not > work with ftps because of this ? It is possible to instruct the FTPS client to keep the control channel in the clear so that firewalls that need to adjust to the ports being used can listen in on the conversation. The FTPS server has to agree to allow this to happen.