FTP connections through ftp proxy block. Log file says: "Failed to contact client data port"

Issue description

If you have a NAT device between your ftp clients and the ftp proxy (frox), you will find that ftp connections will
be blocked until they time-out whenever the transparent ftp proxy is enabled.
You will also find such entries in the frox log file:

Mon Mar  2 11:32:02 2009 frox[18450] Connection timed out when trying to connect to <your ftp client ip>
Mon Mar  2 11:32:02 2009 frox[18450] Failed to contact client data port

Solution

• Set passive mode (PASV) on your ftp client
• Create an allow rule in the system access firewall for port range 50000-50999 for the NAT device(s)
  which have the ftp clients behind it.
  For security reasons open that port range only for those which really need to use ftp clients passing
  through the transparent proxy.

Explaination

Please read more about the two connection methods active and passive mode.

Since active mode requires the server (in our case, the ftp proxy) to initiate the data connection to the client,
this is no option, because we have the NAT device between ftp client and ftp proxy, so that connection will
never reach the client.
That's the reason why it is necessary to set passive mode on the client.

However, when passive mode will be used, the ftp client is required to initiate the connection to the server
(in our case to the ftp proxy) to a dynamic port, which has been negotiated through the control connection.
The ftp proxy listens to that port, but the system access firewall needs to allow traffic to that port.

Since we can have multiple concurrent data connections coming in on the ftp proxy, it's necessary to define
a whole port range.
Therefore the whole port range (50000-50999) reserved for passive data connections need to be allowed
by the system access firewall.