For 4.0:

------------------
/etc/inetd.conf:
ftp-proxy       stream  tcp     nowait  root    /usr/sbin/ftp-proxy
ftp-proxy -m 55000 -t 180

------------------
/etc/pf.conf:

wired_if="xl0"
wireless_if="{ ral0, xl1 }"
localhost_ip="127.0.0.1"

# ftp-proxy
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
nat on $wired_if from !($wired_if) -> ($wired_if:0)
rdr pass on $wireless_if proto tcp to port ftp -> $localhost_ip port 8021
anchor "ftp-proxy/*" 


# ftp-proxy [passive ftp]
pass in  quick on $wired_if inet proto tcp from any to $wired_if user proxy
keep state
pass out quick on $wired_if inet proto tcp from $wired_if to any port 21
flags S/AUPRFS modulate state
pass out quick on $wired_if inet proto tcp from $wired_if to any port > 1024
flags S/AUPRFS modulate state

# ftp-proxy [active ftp] 
pass out quick on $wired_if inet proto tcp from $wired_if to any port 20
flags S/AUPRFS modulate state
pass in on $wired_if inet proto tcp from any port 20 to $wired_if port 55000
quoted text
>< 57000 user proxy flags S/SA keep state

 

quoted text
> -----Original Message-----
> From: owner-misc@openbsd.org [mailto:owner-misc@openbsd.org] 
> On Behalf Of Jake Conk
> Sent: Saturday, September 15, 2007 4:37 AM
> To: misc@openbsd.org
> Subject: Re: Problem with ftp-proxy
> 
> You should send us your pf configuration.
> 
> On 9/14/07, Jason Calhoun <jason@cnsusa.com> wrote:
> > Hi,
> >
> > I have an OpenBSD 4.1 system running as a NAT firewall for 
> our office and
> > unfortunately I have to support a couple of active
> > FTP clients on the inside of the firewall, so I've set up 
> ftp-proxy.  I've
> > never used ftp-proxy before and I've run into a problem with it.
> >
> > I've set up ftp-proxy and pf as described in the PF FAQ.  
> When the client
> > application tries to connect, it behaves as if it never
> > gets a response from the server. The connection hangs and 
> eventually the
> > client ftp application reports a time out.
> >
> > What's actually happening is not as much fun.  I ran a 
> packet sniffer on the
> > client computer while trying to establish the ftp connection.
> > Things happen as follows:
> >
> > The client (inside the firewall) initiates a connection to 
> an FTP server on
> > a public IP.
> > The TCP handshake completes.
> > The FTP server sends its first FTP protocol packet 
> containing the usual
> > welcome/banner string - This packet does make its way back
> > through the firewall to the client system.  However, 
> (according to Wireshark
> > on the client) the checksum on the pack is incorrect.
> > The client ftp application then seems to just ignore the 
> packet from the
> > server, presumably because the checkum in the packet
> > does not match the calculated checksum.
> >
> >
> > Can anyone shed some light on this?  Has anyone else had 
> problems with
> > ftp-proxy like this?
> >
> > Thanks a lot.
> > Jason