I am a relatively inexperienced user. I have used ftp-proxy on a routing firewall and it seems to work quite well. I am trying to get the ftp-proxy working on a transparent bridge firewall but I am not having any luck, which I believe is related to the bridge. I have the following set up running on OpenBSD 4.2 PF

ext_if = rl0
int_if = rl1
The bridge is running on those two NIC's. I have a third NIC, rl2, that has been assigned an ip address. I can SSH to the firewall on that address.

I have the standard rules in the NAT section:

nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
rdr pass on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021

In the rule section, I have:

anchor "ftp-proxy/*"
pass out proto tcp from 127.0.0.1 to any port 21 keep flags S/SA keep state
pass out on ext_if proto tcp from any to any port 21 flags S/SA modulate state

What do I need to change to get this working with the bridge?

From the ftp-proxy man page All connections from the client to
the server have their source address rewritten so they appear to come
from the proxy. Consequently, all connections from the server to the
proxy have their destination address rewritten, so they are redirected to
the client.For this to work ftp-proxy needs an IP addresses but a bridge doesn't have one ;)

since there is another NIC on the firewall that does have an ip address, is there something that can be done so that the proxy uses that address in its transactions?

I would assume that that other NIC is on the internal network, so using it's address would be rather pointless, wouldn't it?

I solved the problem using ftpsesame, adding an IP address to the internal interface.

The rules are similar to those on your pf.conf but you have to redirect the ip of your internal interface.

:D