Teemu, Are you sure the ftp server you are connecting to supports active and passive ftp? You may want to try your test against ftp.openbsd.org. This is a linux machine behind a pf firewall (openbsd v4.7) using ftp-proxy. Both active (PORT) and passive listings seem to work.
$ ftp ftp.openbsd.org Connected to openbsd.sunsite.ualberta.ca. ftp> ls 200 PORT command successful. 150 Opening ASCII mode data connection for '/bin/ls'. total 8 drwxr-xr-x 2 0 0 512 May 4 2009 etc drwxr-xr-x 3 0 0 512 Jul 21 2009 pub 226 Transfer complete. $ ftp -p ftp.openbsd.org Connected to openbsd.sunsite.ualberta.ca. ftp> ls 227 Entering Passive Mode (129,128,5,191,214,178) 150 Opening ASCII mode data connection for '/bin/ls'. total 8 drwxr-xr-x 2 0 0 512 May 4 2009 etc drwxr-xr-x 3 0 0 512 Jul 21 2009 pub 226 Transfer complete. Was this the problem? -- Calomel @ https://calomel.org Open Source Research and Reference On Wed, Jun 02, 2010 at 07:23:24PM -0400, Teemu Rinta-aho wrote: >Hi all, > >(First, sorry if you receive this e-mail multiple times, >I changed my smtp server as the first one doesn't seem >to get mails to this list.) > >my firewall (OpenBSD 4.7) is running packet filter with NAT >and tcp-proxy to provide FTP for hosts in the network behind >the firewall/NAT. > >The problem is that a host behind the firewall, connecting >to an FTP server in the internet through the firewall, active >mode works but passive doesn't. On firewall's external >interface I can see packets going to the FTP server but no reply >packets. > >Trying FTP directly from the firewall, passive mode works but active >doesn't (ftp client says "425 Could not open data connection >to port 55476: Connection refused"). In this case ftp-proxy is >not used as the firewall should be just like any other ftp client. > >I have updated my pf.conf as per the 4.7 upgrade instructions >and I have run tcpdump to network interfaces as well as pflog0, >but so far I don't understand what might be wrong. I tried to >see pf rules or states inserted by ftp-proxy with commands like >'pfctl -a "ftp-proxy/*" -sr' but either it doesn't print anything >and trying 'pfctl -a '*' -sr' I get: > >.... >anchor "*" all { >pfctl: DIOCGETRULES: Invalid argument >} >... > >Any help appreciated. It is not a showstopper but pretty annoying, >as e.g. Firefox defaults to passive mode. > >Teemu