pftpx issue with data connections

From: dave (dmehler26_at_woh.rr.com)
Date: 06/28/05 

Date: Tue, 28 Jun 2005 16:11:50 GMT

Hello,
    Running an obsd gateway firewall v3.7 with a default block policy. I've
got pftpx going, but data connections aren't working from either the
firewall or natted clients behind it. I keep getting error 425's in either
active or passive mode.
Thanks.
Dave.

/etc/pf.conf
nat on $ext_if from $int_if:network to any -> ($ext_if)
nat-anchor "pftpx/*"
# pftpx ftp proxy
rdr-anchor "pftpx/*"
rdr pass on $int_if proto tcp from $lan_net to any port 21 -> 127.0.0.1 port
8021

# default deny
block log all

# pass loopback traffic
pass quick on lo0 all

# pftpx proxy traffic
anchor "pftpx /*"
# pass the traffic
pass quick on $int_if inet proto tcp from $lan_net to lo0 port 8021 flags
S/SA keep state
pass in quick on $int_if inet proto tcp from port 20 to $int_if port > 49000
user proxy flags S/SA keep state label "ftp proxy Passv mode data
connection)
# Fix sites that violate RFC 959 which specifies that the data connection
# be sourced from the command port - 1 (typically port 20)
# This workaround doesn't expose us to any extra risk as we'll still only
allow
# connections to the firewall on a port that ftp-proxy is listening on
pass in quick on $int_if inet proto tcp from any to $int_if port > 49000
user proxy flags S/SA keep state label "ftp proxy: rfc959 violation
workaround"