tftp-proxy
Vadym Chepkov
vchepkov at gmail.com
Sat Jul 24 03:51:14 UTC 2010
On Jul 17, 2010, at 5:20 PM, Vadym Chepkov wrote:
> Hi,
>
> I am unsuccessful in configuring tftp-proxy to work with my phones.
> This is my configuration involved:
>
> FreeBSD 7.3-RELEASE-p2
>
> # cat /etc/pf.conf
> wan_if="re0"
> phone_if="em0"
>
> set debug urgent
> set optimization normal
> set block-policy return
> set timeout { udp.first 300, udp.single 150, udp.multiple 900 }
> set limit { states 20000, frags 20000 }
> set skip on lo0
> scrub in
>
> nat on $wan_if from $phone_if -> $wan_if
> no nat on $wan_if to port tftp
> nat on $wan_if proto udp from $phone_if:network to any -> $wan_if static-port
> nat on $wan_if from $phone_if:network to any -> $wan_if
>
> rdr-anchor "tftp-proxy/*"
> rdr on $phone_if proto udp from $phone_if:network to any port tftp -> 127.0.0.1 port 6969
>
> anchor "tftp-proxy/*"
>
> # grep tftp-proxy /etc/inetd.conf
> tftp-proxy dgram udp wait root /usr/libexec/tftp-proxy tftp-proxy -w 5
>
> # grep tftp-proxy /etc/services
> tftp-proxy 6969/udp
>
> # grep inetd /etc/rc.conf
> inetd_enable="YES"
> inetd_flags="-a 127.0.0.1"
>
> I observe in the syslog the following message:
> Jul 17 16:37:11 spider tftp-proxy[4675]: pf connection lookup failed (no rdr?)
> Jul 17 16:37:11 spider kernel: Jul 17 16:37:11 spider tftp-proxy[4675]: pf connection lookup failed (no rdr?)
> Jul 17 16:37:11 spider inetd[4665]: /usr/libexec/tftp-proxy[4675]: exited, status 1
>
> tcpdump shows tftp reply packets are getting rejected, which I assume means tftp-proxy is not expecting replies
>
> 17:07:19.135743 IP spider.57874 > 204.16.177.35.tftp: 32 RRQ "SEPXXX.cnf.xml" octet
> 17:07:19.167369 IP 204.16.177.35.tftp > spider.57874: 516 DATA block 1
> 17:07:20.596097 IP 204.16.177.35.tftp > spider.57874: 516 DATA block 1
> 17:07:21.596652 IP 204.16.177.35.tftp > spider.57874: 516 DATA block 1
> 17:07:22.597755 IP 204.16.177.35.tftp > spider.57874: 516 DATA block 1
> 17:07:24.142580 IP spider.58998 > 204.16.177.35.tftp: 32 RRQ "SEPXXX.cnf.xml" octet
> 17:07:24.242006 IP 204.16.177.35.tftp > spider.57874: 516 DATA block 1
> 17:07:24.242036 IP spider > 204.16.177.35: ICMP spider udp port 57874 unreachable, length 36
> 17:07:24.242465 IP 204.16.177.35.tftp > spider.58998: 516 DATA block 1
> 17:07:25.243154 IP 204.16.177.35.tftp > spider.57874: 516 DATA block 1
> 17:07:25.243203 IP spider > 204.16.177.35: ICMP spider udp port 57874 unreachable, length 36
> 17:07:25.243213 IP 204.16.177.35.tftp > spider.58998: 516 DATA block 1
> 17:07:26.244089 IP 204.16.177.35.tftp > spider.57874: 516 DATA block 1
> 17:07:26.244121 IP spider > 204.16.177.35: ICMP spider udp port 57874 unreachable, length 36
> 17:07:26.244281 IP 204.16.177.35.tftp > spider.58998: 516 DATA block 1
> 17:07:27.245051 IP 204.16.177.35.tftp > spider.57874: 516 DATA block 1
> 17:07:27.245091 IP spider > 204.16.177.35: ICMP spider udp port 57874 unreachable, length 36
> 17:07:27.245409 IP 204.16.177.35.tftp > spider.58998: 516 DATA block 1
> 17:07:28.246205 IP 204.16.177.35.tftp > spider.57874: 516 DATA block 1
> 17:07:28.246246 IP spider > 204.16.177.35: ICMP spider udp port 57874 unreachable, length 36
> 17:07:28.246292 IP 204.16.177.35.tftp > spider.58998: 516 DATA block 1
>
> Not sure what I did wrong. The manual page of tftp-proxy has wrong entry for inetd.conf, it has illegal syntax for FreeBSD's inetd,
> maybe some other nuance was lost during migration from OpenBSD?
It seems I found the problem. tftp server in question answers not from an ephemeral port, but in firewall friendly manner from tftp port.
I assume this somehow breaks tftp-proxy logic though. I removed tftp specifics rules completely and now all works fine. Sometimes less is more.
Vadym
More information about the freebsd-pf
mailing list