Security flaw in Linux 2.4 IPTables using FTP PORT
This can be used, for example, for the FTP server to connect to any TCP port on the firewall, or any other node protected by the firewall. Even though there may be rules normally denying this type of traffic, it would pass through the firewall, because of the rule allowing RELATED. The attacker does not even need to have a valid login in the FTP server, as the PORT command is interpreted by the module independently of any authentication procedures (USER and PASS)."
The link for this article located at Tempest Security is no longer available.