bash-3.00$ sudo tcpdump -i nge1 -nS 'tcp & 2 != 0' and 'port ftp'
FTP can be a bit twitchy to troubleshoot. It's an old protocol -- dating back to 1971 and RFC 114.
Originally, it was pretty straightforward: there are two ports in use, the control port (tcp/21) and the data port (tcp/20). The client connects to the control port and they have a lovely chat until time comes for the actual file to transfer. Then, the server opens a connection *from* its tcp/20 port to a port specified by the remote client. Which is why firewalls freak it out -- it involved an inbound connection.
PASV mode, or 'passive ftp', avoids some of this by letting both sides negotiate a high (above 1023) port, the server opens that port for connection and the client makes the connection to that port.
All of which makes it a fracking pain to troubleshoot from a network point of view.