Problem with ftp-proxy

[Steven Schoch]

I can't get ftp-proxy to work for a non-passive FTP.  Here's how I
have it set up:

in /etc/pf.conf:

# rdr outgoing FTP requests to the ftp-proxy
rdr on $int_if proto tcp from any to !($ext_if) port ftp -> 127.0.0.1 port 8021

I put ftp-proxy in debug mode with this line in /etc/inetd.conf:
ftp-proxy       stream  tcp     nowait  root    /usr/libexec/ftp-proxy
 ftp-proxy -u proxy -m 55000 -M 57000 -D 3

When I connect from an internel machine, ftp proxy logs lots of info
to /var/log/debug.log.

Something is getting in the way, however.  I run ftp from a Windows XP
machine on 102.168.1.104:

ftp> debug
ftp> open ftp.starnet.com
Connected to starnet.com.
220 starnet.com NcFTPd Server (licensed copy) ready.
User (starnet.com:(none)): ftp
---> USER ftp
331 Guest login ok, send your complete e-mail address as password.
Password:
---> PASS @starnet.com
230-You are user #1 of 32 simultaneous users allowed.
230-
230 Logged in anonymously.
ftp> ls
---> PORT 192,168,1,104,17,233
200 PORT command successful.
---> NLST

And then, nothing.  Calculating 17 * 256 + 233 = 4585, and yes, my
Windows machine is actually listening on that port:

C:\>netstat -a

Active Connections

  Proto  Local Address          Foreign Address        State
  TCP    steven:4585            steven:0               LISTENING

However, when I examine the debug.log file on the gateway, it has this:
Nov 15 14:51:36 freebsd ftp-proxy[24862]: client line buffer is "PORT
192,168,1,104,19,137^M "
Nov 15 14:51:36 freebsd ftp-proxy[24862]: Got a PORT command
Nov 15 14:51:36 freebsd ftp-proxy[24862]: client wants us to use
192.168.1.104:5001

Where did this translation take place?  I looked at the source for
ftp-proxy and it seems to log the "client line buffer" as it reads it
from the client.  I verified that there is only one copy of ftp-proxy
running, so what did this translation?  Ftp-proxy attempts to connect
to port 5001 instead of 4585, which of course fails.

--
Steve