Maybe somebody has a better solution than this, but to me, the following would be the obvious approach. If host "A" is the fully firewalled server that hosts the FTP directory, and server "B" is the server on which port 80 is accessible, then: 1. Run an FTP daemon on server A which limits access to the users you specify 2. On server B: ssh -L :80:A:21 where "A" is the IP address or hostname of server A Then, clients can FTP to port 80 on server B and their traffic will be forwarded to the FTP daemon on A. It would be better to use some port other than 80 though, because: - If a web server is running already on B, it will probably have bound port 80 - 80 is the well-known port for HTTP, and it's not a great idea to reappropriate it for some other protocol even if it's not being used for HTTP - You have to be root to bind ports < 1024, so the ssh tunnel will have to be started as root So, if you can use some arbitrary port >= 1024 for the tunnel, it would be preferable. I don't think you can do this without involving B at all, if that's the only Internet-facing host on the LAN that you can do anything with.