could be many reasons. either side wants to do ident lookup and timeouts or either side wants to do reverse and forward dns lookup somwhere around accepting connection before anything happens and timeouts on nonworking dns or you use some inteligent ftp client that would rever to passive ftp if active is not working or else. best to choose command line ftp client and test it with explicit passive mode on and off to see if it is realy able to open both types of connections. next check dns from both ends of connection and see how fast (and if it is correct - not serverfail/nxdomain/... type of response) you get answer from dns service for both revers and forward lookups for other side. then allow or reject (don't simply drop) traffic for ident service or modify ftp server setting btw: not directly related to your problem but you might also want to: $fw -A FORWARD -p icmp -m state --state RELATED -j ACCEPT (and maybe OUTPUT too)
