Proper way to handle FTP over SSL with restrictive firewall rules?

Without SSL, FTP works fine over a stateful Firewall, like netfilter (iptables) + the nf_conntrack_ftp kernel module like this: # modprobe nf_conntrack_ftp # iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT # iptables -A INPUT -p tcp --dport 21 -j ACCEPT The problem is that, when SSL is used, the FTP connection tracking module cannot work because it is unable to spy on the session to discover the session-port chosen for data exchange. It is thus unable to open that port dynamically. **Is there a proper way to make a SSL-enabled FTP server work, without disabling the firewall?** For information, I use vsftpd with the ssl_enable=YES configuration option.