That's the problem; ftp in PASV mode can use any even up to all (in extreme cases when 64,000 connections are in use at once) non-privileged ports. Opening all possible ports would make a firewall useless.
The following explanation is specific to Linux because I'm not familiar with FreeBSD; perhaps someone else can add to the thread so it covers information for FreeBSD as well.
Both the KISS and APF+BFD firewalls for Linux support FTP connection tracking and automatically open and close ports through the firewall for passive FTP as required.
But if your kernel doesn't support the ip_conntrack_ftp module, then you have to open ports manually for passive FTP, or else disallow it.
To open ports for passive FTP, you need to first select a range of unprivileged ports, then open them in your firewall, and then tell ProFTPd to limit passive ftp to those ports.
For reference you may want to look at
Active FTP vs. Passive FTP, a Definitive Explanation, at
Active FTP vs. Passive FTP, Appendix 1, and at [URL="http://www.kalamazoolinux.org/presentations/20010417/conntrack.html]
Connection Tracking[/URL] (for the latter scroll down to
Connection tracking and ftp).
Jeff
