I'm having problems using an FTP server on a DMZ. I thought initially
the problem was with the ftp-proxy, but I've commented out those lines.
I'm trying to get active working. I've been fidgeting with it all day and here's the rulesset that finally got passive to work.
pass in quick on $WAN proto { tcp udp } from any to $FTPServer port { \
ftp ftp-data } keep state
FTP only uses TCP.
pass in quick on $DMZ proto { tcp udp } from any to $FTPServer port { \
ftp ftp-data } keep state
I don't see any need for this rule to be here.
pass in quick on $DMZ proto tcp from any to $FTPServer port > 49151 \ flags S/SA keep state
You probably want to swap the addresses on this rule. If $FTPServer is attached to $DMZ, packets to it will never be inbound on $DMZ. Active connections from it to the clients would be though.
Clients also won't reliably listen on ports over 49151, so you'd
probably want to change that to "{ ftp-data, > 1023 }".