One important firewall that can't deal with it: Amazon's NAT images for EC2. AFAICT, there's no way to run an ftp client behind Amazon's NAT unless you open all outbound ports, because the server is still the one that specifies which port the client should use for its PASV connection.
I think most firewalls solve this by actually rewriting the FTP packets on the fly (IIRC Cisco calls these "fixups"). That's seriously, seriously broken.
I think most firewalls solve this by actually rewriting the FTP packets on the fly (IIRC Cisco calls these "fixups"). That's seriously, seriously broken.