FTP/SSL in passive mode with portrange, which ports has to be open on the firewall?

Slacksite has a good explanation of how FTP operates in active vs. passive mode, and definitive information on the data connection behaviour is in RFC 4217, § 7.

Basically, assuming your clients use passive mode and explicit SSL (e.g. connects on control port 21 instead of 990 for implicit SSL), you would need to allow incomming connections to the control port 21 and your 5 data ports from any clients high port range to the server, and outgoing established connection packets from the respective ports to random high ports. Active FTP is normally not a good idea as server will try to actively open a connection to the client, which most client side stateful firewalls will not allow if not configured accordingly.

Yes, FTPS has big issues in terms of port use. It retrofitted encryption on a protocol, FTP, that was designed for a network without firewalls and black hats.

However SFTP has significant performance issues with large files and high latency (or long distance) connections. So as bandwidth improvements allow larger file transfers, SSH/SFTP's limitations become more significant and FTPS is the only other alternative.

Usually, explicit "active" FTPS is port 990 and the control port is 989. Passive is the same as active but just means that in addition to 989 you use a few ports over the 1024+ range open on the server (for the client to initiate data connection), depending on how you configured your server.

Personally I prefer to use NULL FTP Server, run a implicit SFTP on port 22, and just have single port implementation.