[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: tftp through pf w/nat



On Thu, Oct 06, 2005 at 02:27:56AM -0400, Charles Sprickman wrote:
> Is it possible, given the nasty way that tftp works to get natted clients 
> to talk to an outside tftp server?
Not if the external server is as sloppy as you described. They'll have
problems with all sorts of NATed clients (not just pf), and could fix it
with a proper server implementation.
You could write a proxy daemon on the firewall, transparently redirect
client requests to it, have it forward the requests and de-multiplex
replies back to the appropriate client. You'll have to use different
source ports for the forwarded requests, so you can de-multiplex based
on the destination port of the incoming replies alone (think of the case
where two different local phones query the same external server at the
same time, you need a way to send each reply to the right phone).
Maybe a one-line inetd.conf(5) entry with nc(1) -u would do the trick,
I'm not sure the stack will match based solely on destination port and
ignore the mismatching source port. If not, a raw socket might be
needed.
Daniel