that seems pretty dangerous...
That’s me, always living dangerously!
Actually, it’s almost entirely harmless. The only concerns with opening high ports is if you have databases or other services listening on public addresses (which is potentially quite dangerous). But, high ports are specifically for user-level, non-privileged communication–they’re intended for everybody on the system to be able to use them for various services. Realistically, not many services use them or need them to be open, and thus it’s irrelevant to have them open–it’s a security null. Neither positive or negative, if you don’t have any services that use them.
There’s no need to be superstitious about firewalls and open ports–if you don’t have a service running on a port, then opening it is meaningless. No one can exploit a non-existent service, and pretty much nothing in a reasonably configured web server system actually runs on a high port (and those that do, like databases, default to local addresses only). And, if you have configured a service to run on a high port on a public address, then presumably it’s because you want to provide some sort of service to the world on that port…and you’d be opening it anyway!
Anyway, if you want to be specific, you could just open a small range of ports, and configure ProFTPd to only use those ports. By default, it will use any of the high ports–I think any that the client requests. But some folks go for just the ephemeral ports range, which is 49152:65534. Set ProFTPd to use this range with:
PassivePorts 49152 65534
And open iptables with:
iptables -I INPUT -p tcp --dport 49152:65534 -j ACCEPT
iptables-save
Again, you may prefer to instead use a stateful rule something like this:
iptables -I INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables-save
This doesn’t open any ports. It allows all traffic that is related to some other connection that’s already been allowed–so if you allow the the initial FTP connection on 21 or 20 it’ll allow all subsequent requests that are related to that connection. At least, I think it’ll work that way.