because the connection is established on port 21, then switched to a different port afterwards.
the latter is in your case, blocked by the fw.
pasv_enable — When enabled, passive mode connects are allowed.
The default value is YES.
pasv_max_port — Specifies the highest possible port sent to the FTP clients for passive mode connections. This setting is used to limit the port range so that firewall rules are easier to create.
The default value is 0, which does not limit the highest passive port range. The value must not exceed 65535.
pasv_min_port — Specifies the lowest possible port sent to the FTP clients for passive mode connections. This setting is used to limit the port range so that firewall rules are easier to create.
The default value is 0, which does not limit the lowest passive port range. The value must not be lower 1024.
I think two should suffice, one in each direction, but I might be wrong.
Bare in mind, if you kill the client, without logging out, those ports will
be allocated to your old session, until a inactivity time out is reached.
well, PASV will require more ports to be opened in the FW, but FTP passwords are sent
over internet in clear text anyway, so two extra open ports probably won't make any difference.