I've notice that client connections to my internal Liveupdate servers use PASV. It it possible to force Active FTP.
(001889) 8/14/2009 0:01:15 AM - (not logged in) (10.21.104.160)> Connected, sending welcome message...
(001889) 8/14/2009 0:01:15 AM - (not logged in) (10.21.104.160)> 220 Symantec Liveupdate Distribution Point
(001889) 8/14/2009 0:01:15 AM - (not logged in) (10.21.104.160)> USER lu_reader
(001889) 8/14/2009 0:01:15 AM - (not logged in) (10.21.104.160)> 331 Password required for lu_reader
(001889) 8/14/2009 0:01:15 AM - (not logged in) (10.21.104.160)> PASS *********
(001889) 8/14/2009 0:01:15 AM - lu_reader (10.21.104.160)> 230 Logged on
(001889) 8/14/2009 0:01:15 AM - lu_reader (10.21.104.160)> TYPE I
(001889) 8/14/2009 0:01:15 AM - lu_reader (10.21.104.160)> 200 Type set to I
(001889) 8/14/2009 0:01:15 AM - lu_reader (10.21.104.160)>
PASV
(001889) 8/14/2009 0:01:15 AM - lu_reader (10.21.104.160)>
227 Entering Passive Mode (10,181,47,39,245,53)
(001889) 8/14/2009 0:01:15 AM - lu_reader (10.21.104.160)> SIZE