On Thu, Oct 06, 2005 at 02:27:56AM -0400, Charles Sprickman wrote: > Is it possible, given the nasty way that tftp works to get natted clients > to talk to an outside tftp server?
Not if the external server is as sloppy as you described. They'll have problems with all sorts of NATed clients (not just pf), and could fix it with a proper server implementation. You could write a proxy daemon on the firewall, transparently redirect client requests to it, have it forward the requests and de-multiplex replies back to the appropriate client. You'll have to use different source ports for the forwarded requests, so you can de-multiplex based on the destination port of the incoming replies alone (think of the case where two different local phones query the same external server at the same time, you need a way to send each reply to the right phone). Maybe a one-line inetd.conf(5) entry with nc(1) -u would do the trick, I'm not sure the stack will match based solely on destination port and ignore the mismatching source port. If not, a raw socket might be needed. Daniel
