I ran into the same problem using simple command line FTP. After much headbanging, I have what I think is the answer.

1. From NIS Settings,  select "Internet Settings"

2. In the "Smart Firewall" section, select "Configure" next to "Program Control"

3. In the list of programs, find your FTP client(s).

4. Select the FTP client, and click "Modify".

5. Find the rule for "Allow, Direction: Inbound, ...". Highlight, and click "Modify"

6. On the Communications tab, select the radio button for "All types of communication"

7. Select OK and/or Apply until done.

It looks like NIS is automatically creating a rule to allow inbound communication on whatever port FTP happened to use the first time it was run. Of course the next time FTP runs, it tries to open a different port for the inbound data, and that port isn't in the rule.