Cameron MacDonald wrote:
tftp does not work with keep-state and friends, because it answers fromI guess the sensible question would be, can you tftp things through pf?
a different port then the one used for the query. that's a PITA, but there is
nothing PF can do. tftp itself need to be fixed, but I'm not sure it's possible
to change that behaviour is tftp is started from inetd.
Cedric
I've searched and read alot but nothing I've found specifically states that it is, or is not possible. The connection comes back from the tftp server to the correct port but is then given a port unreachable message. I'm guessing this is because there's nothing actually "listening" at that port? Some help and pointers would be much appreciated.
Regards,
Cameron MacDonald
Following is the obligatory log and pf.conf
19:43:36.960604 my ip.1790 > server ip.tftp: 53 RRQ "/firmware/leadtek/LR8051S/currentversion.txt" 19:43:37.180840 server ip.47806 > my ip.1790: udp 24 (DF) 19:43:37.181144 my ip > server ip: icmp: my ip udp port 1790 unreachable 19:43:39.459591 my ip.1790 > server ip.tftp: 53 RRQ "/firmware/leadtek/LR8051S/currentversion.txt" 19:43:39.683193 server ip.47806 > my ip.1790: udp 24 (DF) 19:43:39.683514 my ip > server ip: icmp: my ip udp port 1790 unreachable 19:43:41.958761 my ip.1790 > server ip.tftp: 53 RRQ "/firmware/leadtek/LR8051S/currentversion.txt" 19:43:42.179459 server ip.47808 > my ip.1790: udp 24 (DF) 19:43:42.179776 my ip > server ip: icmp: my ip udp port 1790 unreachable 19:43:44.467850 my ip.1790 > server ip.tftp: 6 ERROR EUNDEF "
========================================================================== EXT= "de0" INT= "de1" PRIVNETS= "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }" icmp_types = "{ 8, 11 }"
set loginterface de0 set optimization conservative
# Scrub rules scrub in all
# NAT and Redirection rules nat on $EXT inet from $INT/24 to any -> ($EXT)
# Redirections rdr on $EXT proto tcp from any to any port 3389 -> 192.168.42.101 port 3389 rdr on $INT proto tcp from any to any port ftp -> 127.0.0.1 port 8021
# Filter Rules block in log all block out log all pass in quick on lo0 all pass out quick on lo0 all
# Pass traffic to/from internal network pass in quick on $INT all keep state pass out quick on $INT all keep state
pass in quick on tun0 all keep state pass in quick on tun1 all keep state
block in log quick on $EXT from $PRIVNETS to any block out log quick on $EXT from any to $PRIVNETS
# Let in ping from all interfaces pass in inet proto icmp all icmp-type $icmp_types keep state
# Pass the stuff we expect on the external interface pass in on $EXT inet proto tcp from any to any port { 22, 25, 3389, 1723 } flags S/SAFR pass in quick on $EXT inet proto udp from any to any keep state pass in quick on $EXT inet proto 47 from any to any keep state
# Permit outgoing on $EXT
pass out on $EXT proto tcp all modulate state flags S/SA
pass out on $EXT proto { udp, icmp } all keep state
# Let the Bigpong heartbeat in
pass in quick on $EXT from 61.9.208.13 to any pass in quick on $EXT from 61.9.128.137 to any
