Hi,
  i am not sure if you have modified inetd, but you need to have
the ftp-proxy daemon running if you want to use it in the pf.
Add the following line to inetd.conf:

127.0.0.1:8021  stream  tcp     nowait  root    /usr/libexec/ftp-proxy ftp-proxy

Good luck ;)
Regards,
  scalopus

On Thu, Jul 14, 2005 at 07:13:51PM +0100, Patrick Welche wrote:
> I see this problem mentioned often in mail lists, but no answer(!)
> When using active ftp (e.g. windows ftp client - funnily enough
> netbsd ftp -A works, so reverts to passive?) login (using ftp)
> is successful, but dir (using ftp-data) isn't. The last thing
> the client sees is "200 PORT command successful" and then the
> connection times out.
> 
> Here's what the proxy says:
> 
>    Got a PORT command
>    client wants us to use 192.168.200.1:5001
>    we want server to use 131.111.xxx.yy:50213
>    to server (modified): PORT 131,111,xxx,yy,196,37^M 
>    client is alive; server is alive
>    client is alive; server is alive
>    server line buffer is "200 PORT command successful^M "
>     server: 200 PORT command successful^M 
>    client is alive; server is alive
>    client is alive; server is alive
>    client line buffer is "LIST^M "
>    client: LIST^M 
>    client is alive; server is alive
>    server listen socket ready
>    cannot connect data channel (Connection timed out)
> 
> 
> As far as I know, you need 3 rules in pf.conf for ftp-proxy
> to work
> 1) an rdr for incoming ftp -> ftp-proxy
> 2) a pass in on the external for the server ftp-data back to the
>    proxy
> 3) a pass out on internal for the proxy to talk to the client
> 
> Just for testing I have pass everywhere and the rdr.
> 
> So, any idea why the proxy "cannot connect data channel"?
> 
> Cheers,
> 
> Patrick
> (-current/i386)