Thanks. The routing options (route-to, reply-to, dup-to) syntax changed at 4.7.
Your routing option applies to all incoming traffic on em0 destined for the server (192.168.1.200). Either add another standard pass rule without reply-to
after this one for your two TCP services, or add a
quick pass rule that doesn't use reply-to for those two TCP services
before this rule.
Remember, with PF,
unless the "quick" option is used, the last matching rule wins. If you use standard pass rules, try something like:
Code:
pass in on em0 reply-to (em0 192.168.1.1) to 192.168.1.200 keep state
pass in on em0 proto tcp from any to 192.168.1.200 port {21 80}
The first rule matches all incoming traffic, the second rule without reply-to matches your two services, and "wins" for that traffic.
You may also need to adjust rules for your FTP data connections, depending on whether passive or active FTP is used and the type of FTP proxy deployed, if any.
----
Edited to add:
keep state became the default at 4.1.