Why vsftpd don't respect passive port range?

I configure vsftpd for passive mode listen=YES log_ftp_protocol=YES pasv_enable=YES pasv_address=192.168.0.2 pasv_min_port=10090 pasv_max_port=10100 It works but use random ports! Look output of ss during transfer tcp ESTAB 0 0 192.168.0.2:33150 192.168.0.2:21 users:(("ncftp",pid=14411,fd=4)) timer:(keepalive,119min,0) uid:1000 ino:236010 sk:400b cgroup:unreachable:1 tcp ESTAB 0 0 192.168.0.2:44985 192.168.0.2:20 users:(("ncftp",pid=14411,fd=7)) timer:(keepalive,119min,0) uid:1000 ino:246607 sk:4011 cgroup:unreachable:1 this is ok..without firewall, with firewall and redirect port for nat is a serious problem Why vsftpd use random ports? I have tried listen_ipv6=NO and disable pasv_address option. But nothing This is the complete configuration, actually anonymous_enable=YES connect_from_port_20=NO dirmessage_enable=YES ftpd_banner=Welcome listen=YES listen_ipv6=NO local_umask=022 log_ftp_protocol=YES ls_recurse_enable=YES pasv_address=192.168.0.2 pasv_enable=YES pasv_max_port=10100 pasv_min_port=10090 seccomp_sandbox=NO xferlog_enable=YES xferlog_file=/var/log/vsftpd.log xferlog_std_format=YES I have tried it on Slackware 15 and Debian 12 This is an example: ncftp works but don't respect the passive port range ftp works, but don't respect the passive port range ftp -p 192.168.0.2 Connected to 192.168.0.2 (192.168.0.2). 220 Welcome Name (192.168.0.2:me): anonymous 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> cd pub 250 Directory successfully changed. ftp> get 4.mkv local: 4.mkv remote: 4.mkv 227 Entering Passive Mode (192,168,0,2,39,112). 150 Opening BINARY mode data connection for 4.mkv (12904291 bytes). 226 Transfer complete. 12904291 bytes received in 0,0272 secs (473899,78 Kbytes/sec)