With passive FTP, the server provides a port to the client and allows the client to initiate the connection rather than initiating the connection with the client from the data port. Web browsers and clients operating behind a firewall generally use passive ftp transfers. A general purpose FTP server will need to support passive FTP requests.
However, by default an FTP server will select a port from the entire range of high ports. It is not particularly safe to open all high ports. Fortunately, that range can be restricted. This firewall presumes that the range has been restricted to a specific selected range. That range must also be configured in the ftp server.
Instructions for specifying the port range for the wu-ftpd server can be found here (new tab):
http://www.wu-ftpd.org/man/ftpaccess.html (See the passive ports option.)
Instructions for the ProFTPD server can be found here (new tab):