being (a little) paranoid about security is never a bad idea :-)
When a FTP client issues a 'pasv' command to the server, it opens up a random port without the (pre-defined) port range, the ports aren't open all the time.
The server will reply with something like
Where the server IP is being displayed in the usual fashion (four decimal bytes), and the port is being specified by multiplying porth by 256 and adding portl.
227 Entering Passive Mode (ip,ip,ip,ip,porth,portl)
So for example, (127,0,0,1,4,15) tells the client to open up a TCP connection to 127.0.0.1:1039.
Hope I could clear things up for you.