I solved how to get an Active FTP connection with a remote Host through SuSEfirewall2, and thought posting here would be useful as it took me a few annoying hours to whittle down the solution (searching countless posts).

FTP is odd in that it requires two ports to do its job: a control port (21, ftp) and a data port (20, ftp-data). When a client connects in passive mode (PASV), the FTP host picks a high (>1024) TCP port for the data channel that the client will connect to. This helps the client traverse its firewall as it establishes both outgoing connections to the FTP host, control and data. But when the client connects in active mode, the client picks a (high) TCP port it will receive a data channel connection from the FTP host (normally from TCP port 20). This is problematic for the client, as it has to either have a set data port as a 'pinhole' on its firewall, or modify its firewall when the FTP port is picked by the client and relayed to the FTP host.

I needed to connect to a remote FTP host and it would not connect using passive mode, and I did not want to have to define a port for an active FTP connection in the firewall. So this is what it boiled down to:

== modify file: /etc/sysconfig/SuSEfirewall2
Set FW_LOAD_MODULES="[...] nf_conntrack_ftp" , where [...] denotes any already existing modules, and
Set FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-custom"

== modify file: /etc/sysconfig/scripts/SuSEfirewall2-custom
in hook function "fw_custom_before_port_handling()", add before 'true' (and keep 'true'):
iptables -A INPUT -m helper --helper ftp -j ACCEPT

Tested this on two openSUSE 12.1 boxes and seems to work, but have not checked any security exploits this may have.
Now to get KDE dolphin to do an active FTP connection per host.

=) HRC