Maybe somebody has a better solution than this, but to me, the following
would be the obvious approach.
If host "A" is the fully firewalled server that hosts the FTP directory,
and server "B" is the server on which port 80 is accessible, then:
1. Run an FTP daemon on server A which limits access to the users
you specify
2. On server B:
ssh -L :80:A:21
where "A" is the IP address or hostname of server A
Then, clients can FTP to port 80 on server B and their traffic will be
forwarded to the FTP daemon on A.
It would be better to use some port other than 80 though, because:
- If a web server is running already on B, it will probably have
bound port 80
- 80 is the well-known port for HTTP, and it's not a great idea to
reappropriate it for some other protocol even if it's not being
used for HTTP
- You have to be root to bind ports < 1024, so the ssh tunnel will
have to be started as root
So, if you can use some arbitrary port >= 1024 for the tunnel, it would
be preferable.
I don't think you can do this without involving B at all, if that's the
only Internet-facing host on the LAN that you can do anything with.
