[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: tftp through pf problems



Cameron MacDonald wrote:

I guess the sensible question would be, can you tftp things through pf?

tftp does not work with keep-state and friends, because it answers from
a different port then the one used for the query. that's a PITA, but there is
nothing PF can do. tftp itself need to be fixed, but I'm not sure it's possible
to change that behaviour is tftp is started from inetd.
Cedric


I've
searched and read alot but nothing I've found specifically states that it
is, or is not possible.
The connection comes back from the tftp server to the correct port but is
then given a port unreachable message. I'm guessing this is because there's
nothing actually "listening" at that port?
Some help and pointers would be much appreciated.

Regards,

Cameron MacDonald

Following is the obligatory log and pf.conf


19:43:36.960604 my ip.1790 > server ip.tftp: 53 RRQ "/firmware/leadtek/LR8051S/currentversion.txt" 19:43:37.180840 server ip.47806 > my ip.1790: udp 24 (DF) 19:43:37.181144 my ip > server ip: icmp: my ip udp port 1790 unreachable 19:43:39.459591 my ip.1790 > server ip.tftp: 53 RRQ "/firmware/leadtek/LR8051S/currentversion.txt" 19:43:39.683193 server ip.47806 > my ip.1790: udp 24 (DF) 19:43:39.683514 my ip > server ip: icmp: my ip udp port 1790 unreachable 19:43:41.958761 my ip.1790 > server ip.tftp: 53 RRQ "/firmware/leadtek/LR8051S/currentversion.txt" 19:43:42.179459 server ip.47808 > my ip.1790: udp 24 (DF) 19:43:42.179776 my ip > server ip: icmp: my ip udp port 1790 unreachable 19:43:44.467850 my ip.1790 > server ip.tftp: 6 ERROR EUNDEF "

==========================================================================
EXT= "de0"
INT= "de1"
PRIVNETS= "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"
icmp_types = "{ 8, 11 }"

set loginterface de0
set optimization conservative

# Scrub rules
scrub in all

# NAT and Redirection rules
nat on $EXT inet from $INT/24 to any -> ($EXT)

# Redirections
rdr on $EXT proto tcp from any to any port 3389 -> 192.168.42.101 port 3389
rdr on $INT proto tcp from any to any port ftp -> 127.0.0.1 port 8021

# Filter Rules
block in log all
block out log all
pass in quick on lo0 all
pass out quick on lo0 all

# Pass traffic to/from internal network
pass in  quick on $INT all keep state
pass out quick on $INT all keep state

pass in quick on tun0 all keep state
pass in quick on tun1 all keep state

block in log quick on $EXT from $PRIVNETS to any
block out log quick on $EXT from any to $PRIVNETS

# Let in ping from all interfaces
pass in inet proto icmp all icmp-type $icmp_types keep state

# Pass the stuff we expect on the external interface
pass in on $EXT inet proto tcp from any to any port { 22, 25, 3389, 1723 }
flags S/SAFR
pass in quick on $EXT inet proto udp from any to any keep state
pass in quick on $EXT inet proto 47 from any to any keep state


# Permit outgoing on $EXT
pass out on $EXT proto tcp all modulate state flags S/SA
pass out on $EXT proto { udp, icmp } all keep state


# Let the Bigpong heartbeat in
pass in quick on $EXT from 61.9.208.13 to any pass in quick on $EXT from 61.9.128.137 to any