I see this problem mentioned often in mail lists, but no answer(!)
When using active ftp (e.g. windows ftp client - funnily enough
netbsd ftp -A works, so reverts to passive?) login (using ftp)
is successful, but dir (using ftp-data) isn't. The last thing
the client sees is "200 PORT command successful" and then the
connection times out.

Here's what the proxy says:

   Got a PORT command
   client wants us to use 192.168.200.1:5001
   we want server to use 131.111.xxx.yy:50213
   to server (modified): PORT 131,111,xxx,yy,196,37^M 
   client is alive; server is alive
   client is alive; server is alive
   server line buffer is "200 PORT command successful^M "
    server: 200 PORT command successful^M 
   client is alive; server is alive
   client is alive; server is alive
   client line buffer is "LIST^M "
   client: LIST^M 
   client is alive; server is alive
   server listen socket ready
   cannot connect data channel (Connection timed out)


As far as I know, you need 3 rules in pf.conf for ftp-proxy
to work
1) an rdr for incoming ftp -> ftp-proxy
2) a pass in on the external for the server ftp-data back to the
   proxy
3) a pass out on internal for the proxy to talk to the client

Just for testing I have pass everywhere and the rdr.

So, any idea why the proxy "cannot connect data channel"?

Cheers,

Patrick
(-current/i386)