pf blocking ftp on firewall/router, what did I overlook?

[Dirk R. Gently]

Thanks for taking the time to read this.  I've tried to fix this but am
unsure how to do it.  Any help would be appreciated.

I built a basic pf.conf for a machine to act as a router/firewall.  The
problem I'm having is that the pf.conf I built is blocking access to ftp.
I've built in ftp-proxy but if I understand itcorrectly ftp-proxy allows lan
clients through the firewall, what about the router itself?  Without this,
I'm unable to update unless I turn off the firewall.  Here's my pf.conf:

# Network Interface Cards (NIC)s.
WAN_NIC="gem0"
LAN_NIC="re0"

FTPPORT="8021"

table <blockedip> persist file "/etc/pfblocked.conf"

set block-policy drop
set loginterface $WAN_NIC
set require-order yes

scrub in all

nat on $WAN_NIC from !($WAN_NIC) to any -> ($WAN_NIC:0)

nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
rdr on $LAN_NIC inet proto tcp from $LAN_NIC:network to any port ftp
-> lo0 port $FTPPORT

set skip on lo0

antispoof log for { lo0 $WAN_NIC $LAN_NIC }

block drop in log (all)  quick on $WAN_NIC from <blockedip> to any

block in log on $WAN_NIC all

anchor "ftp-proxy/*

pass out on $WAN_NIC proto tcp from ($WAN_NIC) to any $SYNSTATE
pass out on $WAN_NIC proto udp from ($WAN_NIC) to any

pass out on $WAN_NIC inet proto icmp from ($WAN_NIC) to any


I've tested this and pfctl -nf /etc/pf.conf is ok.  Any thoughts?

-- 
Dirk R. Gently - http://linuxtidbits.wordpress.com/