Eventually I managed to make ftpd, PF and ftp-proxy work on the same machine with one network interface.
ftpd_enable="YES" # Enable stand-alone ftpd.
rdr pass on $if proto tcp from any to $if port 9021 -> \
127.0.0.1 port 8021
#The ftp-proxy man page suggests to put another rule here: "pass out proto tcp from $proxy to any port 21".
#I don't need it because I'm not proxying clients, but a server (-R option of ftp-proxy).
My ftpd is running on port 21, but I used 9021 on the
rdr pass rule because I want clients to connect to that port instead of the standard 21 (and this is *not* *security* *by* *obscurity* because I’m not relying on this for my security).
This way I can avoid opening all the ports >=