Oh wait, I vaguely remember it was from a support document of a software package I used to support that made use of command line ftp client on windows.
So their concept is so screwed up and I didn't pay much attention to it. Me bad!
Anyway, like you said, ALG is more appropriate. Quite a few packet filtering firewalls (fw-1, pix, linux iptables) were having problems with port command when protecting ftp servers in DMZ. I'd blame the protocol -- it's just so hard to get it right.
This post has been archived. It cannot be replied.