To allow incoming FTP connections on port 21 through a PF firewall on a BSD or OpenBSD system, you will need to add a rule to the firewall configuration.
Here is an example of a PF firewall rule that allows incoming FTP connections on port 21 in passive mode:
pass in on $ext_if proto tcp from any to ($ext_if) port 21
This rule allows incoming TCP connections on port 21 from any source IP address to the external interface of the firewall.
If you want to allow only certain IP addresses or networks to connect to the FTP server, you can specify them in the from clause of the rule. For example, to allow only IP addresses in the 192.0.2.0/24 network to connect to the FTP server, you can use the following rule:
pass in on $ext_if proto tcp from 192.0.2.0/24 to ($ext_if) port 21
It is also a good idea to enable logging for FTP connections so that you can monitor activity on the server. You can do this by adding the log keyword to the rule:
pass in log on $ext_if proto tcp from any to ($ext_if) port 21
Once you have added the appropriate rule to your firewall configuration, you will need to reload the firewall to apply the changes. This can usually be done by running the pfctl command with the -f option and the path to the firewall configuration file:
pfctl -f /path/to/pf.conf
It's important to note that this is just a basic example of how to allow incoming FTP connections on port 21 through a PF firewall. You may need to modify the rule depending on your specific requirements and network configuration.