Passive FTP connections fail when TLS is used
The kernel can't snoop on packets when TLS is used, so the RELATED tag is useless.
The solution is either to use ipt_recent to open up NEW connections on unprivileged ports to IPs that have recently connected to port 21, or to just open up those ports regardless of recent activity.
The port range can be restricted in pure-ftpd (PassivePortRange) and so a smaller range could be opened in the fireweall, e.g. 30000 - 40000.