Looking at ftp-proxy as well as Daniel's reverse.diff, it appears that neither of these will help my situation, as I'm not NATing but simply using a bridging firewall.
Is there any code or anyone threatening to write code that would help in this situation. Some code that would allow you to run active and passive through a bridging firewall with a default deny policy, without having to have a rule like: pass quick in on $ext_if proto tcp from any to any port >1024 As an aside, if anyone knows how to tell MS-FTP what port range to allocate for passive ftp sessions, that would also be useful.