> On Aug 20, 2009, at 1:27 PM, Aloysius Thevarajah Lloyd wrote: >> >> *My internal phone try to get the configuration file and firmware from a >> external Public IP TFTP Server. I open the UDP port 69 on the WAN ....* >> >> Is there are any special configuration available to allow TFTP Requests. > >On Thu, Aug 20, 2009 at 2:02 PM, Stephan Monette <[email protected]> wrote: > > You need to have the module for TFTP tracking installed, loaded and enabled. > Just like the FTP and PPTP tracking modules.
Lloyd, It looks like it's a known issue with pfSense. I think this bugtracker article describes your issue exactly: http://cvstrac.pfsense.com/tktview?tn=1872 I'm not sure if, in your situation, you can fix the port behavior on the server end as the article suggests or if you can VPN to the server to avoid NAT all together. As Stephan suggests, it could probably be fixed by a proxy but I don't see a proxy package available for pfSense. Here's an article by a guy who fixed it on FreeBSD. The process should be similar of pfSense: http://taosecurity.blogspot.com/2009/07/freebsd-pf-and-tftp-proxy.html >From a security point of view, I believe that TFTP is regarded as an insecure service and not something that should be exposed to the Internet. Some phone config files, if left unencrypted, could expose SIP userIDs and passwords. You're not new to networking and you probably already thought of that but I thought I'd mention it just in case somebody else on the list thought opening his TFTP server up to the world might be a good idea. If you wanted to comment, I'd be interested to know how you've chosen to address TFTP security. My only suggestion with pfSense would be to try the recent RC of 1.2.3. based on BSD 7.1 which apparently addressed a long list of issues that were present in the earlier 7.0. Best Regards, Dave Donovan --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
