Good sets of filtering only allow ports 1024-2000 incoming when the destination
port is that, AND the source port is 20 or 21 (ftp-data, ftp-control), and
then tie that to the addressing so that only applies to an inbound packet.
Outgoing packets would reverse that with the source port being > 1023 and
the destination port being 20/21.
For more details, read Brent Chapman's paper and (This is unsolicited, Really!),
take his seminar. It will open your eyes. He's running an ad in the current
issue of Internet magazine.