The problem with FTP is, that at some point during the communication,
FTP Client and FTP Server "agreee" on using a different port than 21 and
20 TCP. If you use a sniffer you would see that the FTP client sends
packets on destination port 21 with source port > 1024. When transfer
starts the FTP clients send a port request on which port to use for
transfer. In most cases this is source port + 1. With the sniffer, at
some point you will see (provided you use normal FTP an not passive)
something like this "PORT 12,34,56,78,65,43". This means the client will
listen on ip address 220.127.116.11 on Port 16683 for the data channel.
(NOTE: the port is the 65,43 pair and is calculated like this:
Without masquerading, and allowed FTP, I only got this working by
additionally open ports 1024-65535.
Now, suppose you allow outgoing 20,21 for FTP, you'd also need to open
incoming high ports. Unfortunately, this parameter does not seem to work
if you do not masquerade, so you need to add a forwarding rule which
permits high ports from the outside world. This again leaves those ports
always open, not only when FTP sessions needs them.
With masquerading, this worked fine: