I have no problem getting clients to connect to the FTP proxy
transparently with pf rdr, but active FTP doesn't work. I can't tell if
it's the packets not reaching the proxy (which is unlikely, since I have
tried everything, including allowing all packets on every interface) or
the proxy not sending the right (or any) packets back to the clients
(well, tcpdump doesn't show anything coming to the clients), but the
clients just time out eventually. They never get the connection coming back.

My inetd.conf describes ftp-proxy with "0.0.0.0:8021 stream tcp
nowait:1000 root /usr/libexec/ftp-proxy ftp-proxy -pnV"
(the 0.0.0.0 was because I tried using 192.168.0.1 instead of 127.0.0.1
- but this didn't help), and it is very unlikely to be a problem with pf.

The proxy itself has no problems watching the FTP sessions happening,
and passive FTP works just as expected. But as I said, with active,
connections just don't get back to the client. No clients, with or
without firewall, BulletProof or BSD FTP, work.

It may be worth noting that the proxy doesn't report any PORT command
(is it meant to?) but tcpdump does show the correct negotiations on the
internet-exposed interface (connections coming back to the port, from
ftp-data/20), and I can only assume that the connections are getting
back to ftp-proxy because the pf rules do not forbid them to.

Has anyone stumbled upon this?
I'm much happier with NetBSD's pf port than DragonFly's, which
redirected packets into a black hole instead of to inetd. I'm also
stoked that the slow PF nat problem has disappeared since last time I
tried it (shortly after 2.0 was released), so I can now use NetBSD
3-beta as a nice solid gateway. The sources of this netbsd-3 were
fetched very recently, but I can try a "today" copy if it is believed
that it fixes this.

Any help is appreciated - but note, I am not subscribed to the list (too
much traffic - I just read the archives), so please CC any replies.
Thanks in advance.