Comment 2 for bug 1726550

Thanks for the bug and additional information! We need to adjust the documentation for this, with common examples. You asked specifically about where to put your rule. See 'man ufw-framework'. You'll likely want to add something like this to the end of /etc/ufw/before.rules, after the COMMIT line:

# Update for CT modules for passive ftp
*raw
:PREROUTING ACCEPT [0:0]
-A PREROUTING -p tcp --dport 21 -j CT --helper ftp
COMMIT