On Mon, 06 Jun 2005 15:35:51 -0500, Mike Delaney wrote:
> On Sun, 05 Jun 2005 18:18:04 GMT, dave said something similar to:
>: I'm trying to get ftp working for clients behind a pf firewall running
>: on 3.6. Both active and passive ftp connections work from the firewall
>: itself but neither work from any clients behind the firewall. I'm using a
>: default block all policy and from the tcpdumps i'm doing it looks like
>: source ports are being blocked when they go to the lan interface to be
>: transfered to the ftp-proxy.
>
> Of course the client to proxy traffic is being blocked. You're blocking by
> default and haven't explicitly permitted it.
>
> pass in on $LAN inet proto tcp from $LAN_CLIENTS to 127.0.0.1 port 8021 \
> flags S/SA keep state

Or just use the 'pass' modifier to rdr:

If the pass modifier is given, packets matching the translation
rule are passed without inspecting the filter rules:

rdr pass on $LAN proto tcp from any to any port 21 -> 127.0.0.1 port 8021