re: ipfilter and ftp

Hi,
Sorry, i should have probably told you my ipf/ipnat setup with my rules.
I'm doing bydirectional filtering ep0 is my outside interface, ep1 is my
internal, and yes i am using the ftp proxy. My ftp server is proftpd, here
are my rules. The lines do not wrap in the file.

# Define rule groups based on interface

block return-icmp-as-dest(port-unr) in log first quick on ep0 proto tcp/udp
from any to any head 100

# Rule group for trafic coming from the Internet:

# Allow FTP services.

pass in quick on ep0 proto tcp from any to 192.168.0.3 port = 20 flags S
keep state group 100

pass in quick on ep0 proto tcp from any to 192.168.0.3 port = 21 flags S
keep state group 100

# block Christmas tree scans

block in log quick proto tcp from any to any flags FUP group 100

# allow everything going out ep0 out, limits on what internal traffic are in
group 300
# Allow FTP to the Internet

pass in quick on ep1 proto tcp from 192.168.0.0/24 to any port = 20 flags S
keep state group 300

pass in quick on ep1 proto tcp from 192.168.0.0/24 to any port = 21 flags S
keep state group 300

# ipnat.rules
# Network address mappings and redirections:

map ep0 192.168.0.0/24 -> 0.0.0.0/32 proxy port ftp ftp/tcp

map ep0 192.168.0.0/24 -> 0.0.0.0/32

# Map FTP to our FTP server.

rdr ep0 0.0.0.0/0 port 20 -> 192.168.0.3 port 20

rdr ep0 0.0.0.0/0 port 21 -> 192.168.0.3 port 21


Also, is it possible to use dynamic rules to block a portscan but allow a
single connection? Basically, if someone is portscanning me a dynamic rule
blocks that IP, and returns nothing or all ports closed, but if someone
connects to ssh singley without a portscan they're allowed through?
Thanks.
Dave.