FTP rule for NACL in AWS
Solution 1:
Security groups are stateful in that you would only need to add the outwards rule. NACLs are stateless so you need to add in rules as well as out rules. Most AWS people use security groups in preference to NACLs because the automatic return traffic makes it simpler.
With NACLs ephemeral ports (explanation here and another here) need to be opened to allow return traffic. Read the links, FTP doesn't work as expected. Those ports vary a bit based on your OS (Wikipedia reference) tells us
The Internet Assigned Numbers Authority (IANA) suggests the range 49152 to 65535 (215+214 to 216−1) for dynamic or private ports.3
Many Linux kernels use the port range 32768 to 60999.
Best allow ports 49152 to 65535 inwards on your NACLs to allow FTP to work.