BAD state with pftpx

[Michal Mertl]

I wanted to run an FTP server on a machine protected by PF on FreeBSD
6.1 p10. I use pftpx for normal client proxying (as the PF's ftp-proxy
in FreeBSD is outdated and does not work for my FTP clients (Windows XP
with firewall enabled does not allow the connections to originate from
different IP address than the client connected to). The pftpx proxy
seems to support also standing in front of FTP server.

I use the following for configuring pf for the task (pftpx 0.8_1 from
ports):
--
nat on $ext_if from $internal_net to any -> ($ext_if)
nat-anchor "pftpx/*"
rdr-anchor "pftpx/*"
rdr on $ext_if proto tcp from any to any port ftp -> 127.0.0.1 port 8022
anchor "pftpx/*"
--

I run pftpx with "pftpx -c 8022 -f 127.0.0.1 -d -D 7" and stock ftpd
with "ftpd -D -a 127.0.0.1".

The connection from outside is established and I can do passive
transfers. Active ones (either PORT or EPRT) don't work and with "set
debug loud" in /etc/pf.conf I see these messages on the console:
---
pf: BAD state: TCP 127.0.0.1:20 server.ip:59188 client.ip:52124
[lo=427260297 high=427325833 win=65535 modulator=0 wscale=1]
[lo=3208002793 high=3208068329 win=32768 modulator=0 wscale=1] 10:10 SA
seq=2588730766 ack=427260297 len=0 ackskew=0 pkts=3:1 dir=in,rev
pf: State failure on:   2     |   6
---

Debug output of pftpx follows:
---
#1 client: EPRT |1|client.ip|52124|\r\n
#1 proxy: EPRT |1|127.0.0.1|61630|\r\n
#1 server: 200 EPRT command successful.\r\n
#1 active: server to client port 52124 via port 61630
#1 client: LIST\r\n
---

I haven't yet had a chance to test it on RELENG_6 or CURRENT but I think
the code there is the same.

There can be a bug in pftpx as well.

Is there any other way to allow FTP server (active and passive) to run
behind/on PF protected firewall? Active should work without a proxy but
I want both and do not want to open up the firewall for passive without
a proxy.

Thanks

Michal