Do not mistake the security permissions with IPSEC filters, there is no
permit/block precedence.
From the help document:
"Filters are applied in the order of most-specific filters first. Filters
are not applied in the order in which they appear in the list."
AFAIR, you should create a single policy and deny all traffic, then allow
TCP ports. BTW, you need to define your own "Block" filter action, there is
none.
Anyhow, open the management console, at the IP security node (if one exists)
and hit F1. Read the IPSEC help throughly, there is a lot of things to learn
from there, the logic is rather complex.
Also note that IPSEC is a security filter, not a firewall, it cannot block
connections, just traffic, meaning that if you have port X opened, people
can still keep connections open if there is no timeout, it just does not
flow (IPSEC discards packets). Perhaps you should go for a 3rd party
firewall.
Regarding your FTP problem, PASV reverses server-client roles, that is you
tell the server to listen for data connections from you instead. Meaning
that server must listen on a certain port, most likely one assigned to you
so the server can tell who is transferring what. In that case, the port is
not the data port. (RFC vary and so do the FTP servers).
Check the PASV reply from the server for the ip and port and see if they
match (pobably will not). PASV was designed for firewalls, not IPSEC. You
might be better off trlling the client not to use PASV.
