* der Mouse <mouse@Rodents.Montreal.QC.CA> [2006-02-08 20:42]:
> > Unless you want to write a passive-ftp-proxy module for pf, (or ipf,
> > or ipfw, or whatever your NAT software is).
> 
> pf.  I've considered writing an ftp-proxy that gets addresses right (in

note that ftp-proxy has been replaced in OpenBSD-current and works way 
different now.

from manpage:
     The proxy allows data connections to pass, rewriting and redirecting them
     so that the right addresses are used.  All connections from the client to
     the server have their source address rewritten so they appear to come
     from the proxy.  Consequently, all connections from the server to the
     proxy have their destination address rewritten, so they are redirected to
     the client.  The proxy uses the pf(4) anchor facility for this.

     Assuming the FTP control connection is from $client to $server, the proxy
     connected to the server using the $proxy source address, and $port is ne-
     gotiated, then ftp-proxy adds the following rules to the various anchors.
     (These example rules use inet, but the proxy also supports inet6.)

     In case of active mode (PORT or EPRT):

       rdr from $server to $proxy port $port -> $client
       pass quick inet proto tcp \
           from $server to $client port $port flags S/SAFR keep state

     In case of passive mode (PASV or EPSV):

       nat from $client to $server port $port -> $proxy
       pass in quick inet proto tcp \
           from $client to $server port $port flags S/SAFR keep state
       pass out quick inet proto tcp \
           from $proxy to $server port $port flags S/SAFR keep state


-- 
Henning Brauer, hb@bsws.de, henning@openbsd.org
BS Web Services, http://bsws.de
OpenBSD-based Webhosting, Mail Services, Managed Servers, ...