Ok! I am really having a bad times playing with ftp-proxy!
It is working, but rules inserted are not showed, like in:

root@gw# pfctl -sn -a 'ftp-proxy/*'
root@gw# pfctl -sr -a 'ftp-proxy/*'
root@gw# pfctl -sr -a '*'
scrub out on pppoe0 all max-mss 1452 fragment reassemble
block return log all
anchor "*" all {
pfctl: DIOCGETRULES: Invalid argument
}
anchor "feif" on pppoe0 all {
  pass in log from any to (pppoe0) flags S/SA keep state (if-bound)
  pass out log from (pppoe0) to any flags S/SA keep state (if-bound) !
tagged NAT
  pass out log proto tcp from (pppoe0) to any port = www flags S/SA keep state (
if-bound) tagged NAT
  pass out log proto tcp from (pppoe0) to any port = https flags S/SA
keep state (if-bound) tagged NAT
  pass out log proto tcp from (pppoe0) to any port = 5999 flags S/SA
keep state (if-bound) tagged NAT
}
anchor "fiif_0" on sis0 all {
  pass in log from (sis0:network) to (sis0) flags S/SA keep state (if-bound)
  pass in log from (sis0:network) to (sis0:broadcast) flags S/SA keep
state (if-bound)
  pass out log from (sis0) to (sis0:network) flags S/SA keep state (if-bound)
  pass in log proto tcp from (sis0:network) to ! (sis0) port = www
flags S/SA keep state (if-bound)
  pass in log proto tcp from (sis0:network) to ! (sis0) port = https
flags S/SA keep state (if-bound)
  pass in log proto tcp from (sis0:network) to ! (sis0) port = 5999
flags S/SA keep state (if-bound)
  pass in log proto tcp from (sis0:network) to (lo0:0) port = 8021
flags S/SA keep state (if-bound) tagged RDR_0
}
block return in log on ! lo0 from (lo0:network) to any
block return in log on sis0 from (sis0:broadcast) to any
block return in log on ! sis0 from (sis0:network) to any
block return in log on ! sis0 from any to (sis0:broadcast)
block return in log on sis0 inet from any to 127.0.0.0/8 ! tagged RDR_0
block return in log on ! pppoe0 from (pppoe0) to any
block return in log on pppoe0 from any to <net> ! tagged RDR
block return in log inet from 255.255.255.255 to any
block return in log inet from any to 0.0.0.0/8

Does anybody have any ideia why? (i tried during passive/active data transfer).

I really thank you for your time and cooperation.

Very best regards.

On 5/14/07, Joachim Schipper <j.schipper@math.uu.nl> wrote:
quoted text
> On Mon, May 14, 2007 at 02:43:34PM -0300, John Nietzsche wrote:
> > On 5/14/07, Joachim Schipper <j.schipper@math.uu.nl> wrote:
> > >On Mon, May 14, 2007 at 01:24:07PM -0300, John Nietzsche wrote:
> > >> Dear gentleman/madam,
> > >>
> > >> i have installed my openbsd firewall and i am trying to get ftp client
> > >> behind working.
> > >> It is working nicely. But, when i try to lookup and the nat rules
> > >> inserted by ftp-proxy, i get nothing :
> > >>
> > >> root@gw# pfctl -sn -a '*'
> > >> nat-anchor "ftp-proxy/*" all
> > >> nat-anchor "neif" on pppoe0 all
> > >> nat-anchor "niif_0" on sis0 all
> > >> rdr-anchor "ftp-proxy/*" all
> > >> rdr-anchor "reif" on pppoe0 all
> > >> rdr-anchor "riif_0" on sis0 all
> > >> root@gw# pfctl -sn -a 'ftp-proxy/*'
> > >>
> > >>
> > >> I am very confused on why it is not showed anything.
> > >
> > >I'm fairly certain ftp-proxy only inserts rules for active FTP sessions,
> > >and removes them as soon as they are no longer active.
> >
> > According to pf FAQ:
> >
> > "With passive mode FTP (the default mode with OpenBSD's ftp(1)
> > client), (...)"
> >
> > ok! I am really having a bad time with this issue! Not to get it
> > working but to understand it. If ftp-proxy does not insert rules how
> > does the outgoing traffic is permitted across the firewall for a
> > dynamic port choosen by the server?
>
> Oops, poor word choice. 'Active FTP sessions' was not intended to mean
> 'sessions using active FTP' (as opposed to passive FTP), but 'FTP
> sessions that are active' (i.e., connected).
>
> ftp-proxy does insert rules in anchrors, but only for sessions that are
> connected at that time. In other words, were you actually sending FTP
> data across your firewall when you looked in the table?
>
>                 Joachim
>
> --
> TFMotD: systrace (4) - enforce and generate policies for system calls