In passive mode FTP, this is how the data connection is initialized:
- The FTP client asks the FTP server for an IP and port to connect to (using the PASV command).
- The FTP server supplies the IP (usually the same as the main connection IP) and the port to the client.
- The FTP client connects to the specified port at the FTP server.
Unfortunately, this means that the destination port of the data connection is supplied by the server and an FTP client doesn't have any control over it. An FTP client can't instruct the server to listen on a specific port - it has to accept what was offered.
The fact that FTP data connections don't use a fixed port number causes lots of problems with firewalls and this is further complicated when TLS/SSL security is used as well. There is even an Internet draft document dedicated solely to this and it's a must-read for anyone trying to understand the matter.
- Nearly all FTP servers make it possible to specify a port range for data ports. If you have control over the FTP server, configure it to only use a certain range (don't make it to narrow) and configure the firewall to allow these.
- If non-secure FTP works fine over your firewall, it is most likely a content-aware firewall that needs to be able to see the FTP communication to do its work. TLS/SSL makes this impossible. You might use Ftp object's ClearCommandChannel to revert back to unencrypted FTP control connection after logging in (data connections can stay encrypted after this), enabling the firewall to work again in exchange for a degree of security.
- If possible, use SFTP instead of FTP or FTPS. It's a more modern protocol that only uses a single TCP connection (to port 22 by default) for all its data, which makes it much easier for firewalls to handle it.
(I didn't mention a possibility of using active FTP mode instead of passive mode because this mode is even less firewall-friendly. Also, I didn't mention the possibility to specify source ports for FTP data connections because most firewalls are configured to filter outgoing connections based on destination ports, not source ports.)