PASSV (passive mode) FTP through routers/firewalls

["Riley, Larry" <larry.riley () disclosure com>]

I have a question about allowing PASSV (passive mode) FTP through
routers/firewalls.

We have an client who needs to be able to retrieve files via FTP from our
ftp server.  As of yet, they have been unable to do so, due to the fact that
they only allow PASSV (passive mode) FTP through their router/firewall, and
our server currently refuses permission for passive FTP.

I found some information indicating that in order to enable passive FTP on
our server, we would have to give world write permissions to the
pseudo-device /dev/tcp.  This is apparently an artifact of Solaris

Off the cuff, it strikes me that this permissioning might be a security
concern.  Arguably it is a bit more secure from the customer's point of view
for them to allow only PASSV mode.  Since they only have a router and not a
stateful firewall, they would have to open TCP high ports, which would leave
them vlunerable to TCP high port probing and denial of service attacks on
their internal hosts.

Does anyone have any words of wisdom whether we should enable passive mode
in this situation?

Thanks