Tftp-proxy
I am having a little trouble writing the necessary PF rule to pass and redirect tftp from a Cisco DSL router over to m
Tftp-proxy
I'm in need of a little help (and probably a lot of sleep). I have been tweaking my PF due to a need for some added functionality. My last task was to add tftp-proxy so I can backup my Cisco DSL router to my TFTP server. I read the man page and inserted the necessary rules, but alas she's not working and I cannot quite see my error. My TFTP server lives inside the LAN on 192.168.1.5 and I had added the following rules. What am I missing here? Translation ### # no rdr on lo0 from any to any nat-anchor ftp-proxy/* nat on egress from (self) to any tag EGRESS - ($ext_if:0) nat on egress from $wire_if:network to any tag EGRESS - ($ext_if:0) no nat on $ext_if to port tftp rdr-anchor ftp-proxy/* rdr-anchor tftp-proxy/* rdr on $ext_if proto udp from any to any port tftp - 127.0.0.1 port 6969 # $ext_if inbound pass in on $ext_if inet proto icmp from any to $ext_if icmp-type 8 code 0 pass in quick on $ext_if inet proto tcp from ftp-auth to $ext_ip port 21 flags S/SA keep state pass in quick on $ext_if inet proto tcp from any to $ext_if port ssh flags S/SA synproxy state (max 10, source-track rule, max-src-conn 10, max-src-nodes 5, max-src-conn-rate 3/30, overload ssh-bruteforce flush global) pass in quick on $ext_if inet proto udp from ftp-auth to $ext_ip keep state # $wire_if outbound pass out log on $wire_if inet proto tcp from $wire_if to $wire_if:network flags S/SAFR modulate state pass out on $wire_if inet proto tcpto $ftp_server port 21 user proxy flags S/SA keep state pass out log on $wire_if inet proto udp from $wire_if to $wire_if:network keep state pass out on $wire_if inet proto udpto $ftp_server keep state pass out log on $wire_if inet proto icmp from $wire_if to $wire_if:network icmp-type 8 code 0 keep state anchor ftp-proxy/* anchor tftp-proxy/*
tftp-proxy without nat?
Hi, I have an OpenBSD 4.0 firewall between two networks. The traffic between these two is routed. when I take a look at the manual pages, then it looks like the tftp-proxy only useful for connections that do NAT, where the client is in a private network, and the server has a public IP. Without NAT, I will need sth. like this in the nat section: rdr-anchor tftp-proxy/* rdr on $int_if proto udp from $lan to any port tftp - \ 127.0.0.1 port 6969 and this in the filter section: anchor tftp-proxy/* but I do not know, how to allow the data packets, from the server to the client to traverse the firewall. Is there a way to make it stateful somehow? kind regards Sebastian pass in on $ kind regards Sebastian
Re: tftp-proxy without nat?
On Tue, Apr 10, 2007 at 04:41:04PM +0200, Sebastian Reitenbach wrote: Hi, I have an OpenBSD 4.0 firewall between two networks. The traffic between these two is routed. when I take a look at the manual pages, then it looks like the tftp-proxy only useful for connections that do NAT, where the client is in a private network, and the server has a public IP. Without NAT, I will need sth. like this in the nat section: rdr-anchor tftp-proxy/* rdr on $int_if proto udp from $lan to any port tftp - \ 127.0.0.1 port 6969 and this in the filter section: anchor tftp-proxy/* but I do not know, how to allow the data packets, from the server to the client to traverse the firewall. Is there a way to make it stateful somehow? Unless I am sorely mistaken, TFTP uses standard UDP traffic. Just allow that through the firewall (pass from $lan to $tftp_server port tftp keep state). -- TFMotD: ioprbs (4) - I2O SCSI RAID controller
