As I get older, I seem to be getting more paranoid, so I've recently begun egress filtering on my Linux firewall box. I REJECT all outbound packets from the internal net except on those few destination ports I choose to permit (e.g., 21, 25, 80, 110, 6667, etc).

Unfortunately, FTP seems to have been a casualty of the new filtering since it wants to open a random unprivileged port after the initial connection on port 21. All of the egress rules I've seen for FTP say to open all unprivileged ports to outbound traffic (1024-65535), which obviously I'm not going to do because it defeats the whole purpose of egress blocking.

How do people normally handle FTP on a network with egress blocking, and does anybody have a rule that works without digging me a new a55 on my firewall?