ip_masq_ftp does case sensitive comparisons of FTP commands when
snooping the control connection, and may thus miss legitimate PORT/PASV
negotiation. The culprit is the use of safe_mem_eq2 to match on the
commands, it catches them in either all-caps or all-lower-case (PASV,
pasv), but not in mixed case (PaSv) or with trailing whitespace ("PaSv
"), while RFC-959 (FTP) demands case insensitive handling of FTP
commands.
I don't currently have time to fix this myself and submit a patch,
sorry.
--
Matthias Andree