A customer IM'ed me today telling me that he thought something was wrong with a few of his servers that were located in the UK.  I quickly checked our monitoring system to make sure there hadn't been any alerts that I missed to find all of his probes were green.  He went further into detail explaining that he only had problems with FTP doing transfers.  He could authenticate just fine, but any time he either tried to grab a file or do a listing, it would hang.

I immediately knew what the problem was.  One of the first things I do for 95% of the servers I administer is enable kernel-based firewalls.  These add a great layer of packet intrusion detection without having the expense of a physical firewall.  The downfall to these firewalls is that packets must be tracked to determine whether they are new requests or packets from an established connection.  If you don't specificially add custom support for passive FTP connection tracking, then actual data transfers will timeout as the firewall will drop them.

For Linux based iptables firewalls, be sure you add the "ip_conntrack_ftp" iptables module, and all problems will magically go away.