How do you have your firewall configured? Since the usual way to protect yourself is to setup input rule, I am assuming you’ve set something there…
I believe that if you have an entry at or near the top that is of the form:
ACCEPT all opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 state RELATED,ESTABLISHED
That the FTP data streams that are “related to” your FTP stream will be passed through.