Кто здорово шарит в pf подскажите в чем не прав. Проблема с доступом к ftp серверам из локалки.##Macroses
#Interfaces
if1 = "ep0"
if2 = "ne3"
lan = "xl0"
dmz = "xl1"#Internal servers
proxy = "192.168.1.5"
vpn = "192.168.1.5"
vpn_port = "1199"
mail = "192.168.1.8"
web = "192.168.1.6"#Tables
table <spamd-white> persist
table <ip> persist file "/etc/ip.lst"#Skip loopback
set skip on lo#Scrubbing
scrub in#NAT
nat on $if1 from !$if1 -> $if1:0
nat on $if2 from !$if2 -> $if2:0#Anchors
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
##Redirection#ftp
rdr pass on $lan proto tcp from any to any port ftp -> 127.0.0.1 port 8021#spamd
no rdr on $if1 proto tcp from <spamd-white> to any port smtp
rdr pass on $if1 proto tcp from any to any port smtp -> 127.0.0.1 port spamd#http-proxy
rdr on $lan proto tcp from <ip> to any port www -> $proxy port 3128#web server
rdr on $if1 proto tcp from any to $if1 port www -> $web port www#mail server
rdr on $if1 proto tcp from any to $if1 port smtp -> $mail port smtp
rdr on $if1 proto tcp from any to $if1 port pop3 -> $mail port pop3#vpn
rdr pass on $if2 proto udp from $if2:network to port $vpn_port -> $vpn
rdr pass on $if1 proto udp from $if1:network to port $vpn_port -> $vpnanchor "ftp-proxy/*"
##Filters
#Default deny
block log all#Allow
#Antispoof
#pass quick on $lan no state
#antispoof quick for { lo $lan }#lan
pass quick on $lan all
pass quick on $dmz all#ssh
pass in log on $if1 proto tcp from any to $if1 port 27
pass out log on $if1 proto tcp from $if1 to any port 27#pop3
pass in log on $if1 proto tcp from any to $if1 port pop3
pass out log on $if1 proto tcp from $if1 to any port pop3#smtp
pass in log on $if1 proto tcp from any to $if1 port smtp
pass out log on $if1 proto tcp from $if1 to any port smtp#web
pass quick log on $if1 proto tcp from any to any port www#dns tcp
pass in quick log on $if1 proto tcp from any to $if1 port domain
pass out quick log on $if1 proto tcp from $if1 to any port domain#dns udp
pass in quick log on $if1 proto udp from any to $if1 port domain
pass out quick log on $if1 proto udp from $if1 to any port domain#vpn
pass in quick log on $if2 proto udp from any to $if2 port $vpn_port
pass out quick log on $if2 proto udp from $if2 to any port $vpn_portpass in quick log on $if2 proto udp from any to $vpn port $vpn_port
pass out quick log on $if2 proto udp from $vpn to any port $vpn_portpass in quick log on $if1 proto udp from any to $if1 port $vpn_port
pass out quick log on $if1 proto udp from $if1 to any port $vpn_portpass in quick log on $if1 proto udp from any to $vpn port $vpn_port
pass out quick log on $if1 proto udp from $vpn to any port $vpn_port#icq
pass in quick log on $if1 proto tcp from any to $if1 port 5190
pass out quick log on $if1 proto tcp from $if1 to any port 5190#ntp
pass in quick log on $if1 proto tcp from any to $if1 port ntp
pass out quick log on $if1 proto udp from $if1 to any port ntp#ftp
pass in quick log on $if1 proto tcp from any to $if1 port ftp
#pass out quick log on $if1 proto tcp from $if1 to any port ftppass out proto tcp from self to any port ftp
pass in quick log on $if1 proto tcp from any to $if1 port ftp-data
pass out quick log on $if1 proto tcp from $if1 to any port ftp-datapass in quick log on $if1 proto tcp from any to $if1 port > 49151 flags S/SA user proxy
pass out quick log on $if1 proto tcp from $if1 to any port {ftp ftp-data}#cvsup
pass in quick log on $if1 proto tcp from any to $if1 port 5999
pass out quick log on $if1 proto tcp from $if1 to any port 5999# cat rc.conf.local
ntpd_flags= # enabled during install
ftpproxy_flags=""
>[оверквотинг удален]
>#cvsup
>pass in quick log on $if1 proto tcp from any to $if1
>port 5999
>pass out quick log on $if1 proto tcp from $if1 to any
>port 5999
>
># cat rc.conf.local
>ntpd_flags=
> # enabled during install
>ftpproxy_flags=""Конфиг рабочий. Все оказалось немного проще. ftpproxy_flags="" по невыясненной еще причине не стартовал ftp-proxy. Если запустить вручную, то ftp работает.