xref: /freebsd/contrib/pf/tftp-proxy/tftp-proxy.8 (revision 67ecd4f3a477a0ca5b76a1694f89755df27a8679)
167ecd4f3SMax Laier.\"	$OpenBSD: tftp-proxy.8,v 1.1 2005/12/28 19:07:07 jcs Exp $
267ecd4f3SMax Laier.\"
367ecd4f3SMax Laier.\" Copyright (c) 2005 joshua stein <jcs@openbsd.org>
467ecd4f3SMax Laier.\"
567ecd4f3SMax Laier.\" Redistribution and use in source and binary forms, with or without
667ecd4f3SMax Laier.\" modification, are permitted provided that the following conditions
767ecd4f3SMax Laier.\" are met:
867ecd4f3SMax Laier.\"
967ecd4f3SMax Laier.\" 1. Redistributions of source code must retain the above copyright
1067ecd4f3SMax Laier.\"    notice, this list of conditions and the following disclaimer.
1167ecd4f3SMax Laier.\" 2. Redistributions in binary form must reproduce the above copyright
1267ecd4f3SMax Laier.\"    notice, this list of conditions and the following disclaimer in the
1367ecd4f3SMax Laier.\"    documentation and/or other materials provided with the distribution.
1467ecd4f3SMax Laier.\" 3. The name of the author may not be used to endorse or promote products
1567ecd4f3SMax Laier.\"    derived from this software without specific prior written permission.
1667ecd4f3SMax Laier.\"
1767ecd4f3SMax Laier.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
1867ecd4f3SMax Laier.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
1967ecd4f3SMax Laier.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
2067ecd4f3SMax Laier.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
2167ecd4f3SMax Laier.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
2267ecd4f3SMax Laier.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
2367ecd4f3SMax Laier.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
2467ecd4f3SMax Laier.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
2567ecd4f3SMax Laier.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
2667ecd4f3SMax Laier.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
2767ecd4f3SMax Laier.\"
2867ecd4f3SMax Laier.Dd November 28, 2005
2967ecd4f3SMax Laier.Dt TFTP-PROXY 8
3067ecd4f3SMax Laier.Os
3167ecd4f3SMax Laier.Sh NAME
3267ecd4f3SMax Laier.Nm tftp-proxy
3367ecd4f3SMax Laier.Nd Internet Trivial File Transfer Protocol proxy
3467ecd4f3SMax Laier.Sh SYNOPSIS
3567ecd4f3SMax Laier.Nm tftp-proxy
3667ecd4f3SMax Laier.Op Fl v
3767ecd4f3SMax Laier.Op Fl w Ar transwait
3867ecd4f3SMax Laier.Sh DESCRIPTION
3967ecd4f3SMax Laier.Nm
4067ecd4f3SMax Laieris a proxy for the Internet Trivial File Transfer Protocol invoked by
4167ecd4f3SMax Laierthe
4267ecd4f3SMax Laier.Xr inetd 8
4367ecd4f3SMax Laierinternet server.
4467ecd4f3SMax LaierTFTP connections should be redirected to the proxy using the
4567ecd4f3SMax Laier.Xr pf 4
4667ecd4f3SMax Laier.Ar rdr
4767ecd4f3SMax Laiercommand, after which the proxy connects to the server on behalf of
4867ecd4f3SMax Laierthe client.
4967ecd4f3SMax Laier.Pp
5067ecd4f3SMax LaierThe proxy establishes a
5167ecd4f3SMax Laier.Xr pf 4
5267ecd4f3SMax Laier.Ar rdr
5367ecd4f3SMax Laierrule using the
5467ecd4f3SMax Laier.Ar anchor
5567ecd4f3SMax Laierfacility to rewrite packets between the client and the server.
5667ecd4f3SMax LaierOnce the rule is established,
5767ecd4f3SMax Laier.Nm
5867ecd4f3SMax Laierforwards the initial request from the client to the server to begin the
5967ecd4f3SMax Laiertransfer.
6067ecd4f3SMax LaierAfter
6167ecd4f3SMax Laier.Ar transwait
6267ecd4f3SMax Laierseconds, the
6367ecd4f3SMax Laier.Xr pf 4
6467ecd4f3SMax LaierNAT state is assumed to have been established and the
6567ecd4f3SMax Laier.Ar rdr
6667ecd4f3SMax Laierrule is deleted and the program exits.
6767ecd4f3SMax LaierOnce the transfer between the client and the server is completed, the
6867ecd4f3SMax LaierNAT state will naturally expire.
6967ecd4f3SMax Laier.Pp
7067ecd4f3SMax LaierAssuming the TFTP command request is from $client to $server, the
7167ecd4f3SMax Laierproxy connected to the server using the $proxy source address, and
7267ecd4f3SMax Laier$port is negotiated,
7367ecd4f3SMax Laier.Nm
7467ecd4f3SMax Laieradds the following rule to the anchor:
7567ecd4f3SMax Laier.Bd -literal -offset indent
7667ecd4f3SMax Laierrdr proto udp from $server to $proxy port $port -\*(Gt $client
7767ecd4f3SMax Laier.Ed
7867ecd4f3SMax Laier.Pp
7967ecd4f3SMax LaierThe options are as follows:
8067ecd4f3SMax Laier.Bl -tag -width Ds
8167ecd4f3SMax Laier.It Fl v
8267ecd4f3SMax LaierLog the connection and request information to
8367ecd4f3SMax Laier.Xr syslogd 8 .
8467ecd4f3SMax Laier.It Fl w Ar transwait
8567ecd4f3SMax LaierNumber of seconds to wait for the data transmission to begin before
8667ecd4f3SMax Laierremoving the
8767ecd4f3SMax Laier.Xr pf 4
8867ecd4f3SMax Laier.Ar rdr
8967ecd4f3SMax Laierrule.
9067ecd4f3SMax LaierThe default is 2 seconds.
9167ecd4f3SMax Laier.El
9267ecd4f3SMax Laier.Sh CONFIGURATION
9367ecd4f3SMax LaierTo make use of the proxy,
9467ecd4f3SMax Laier.Xr pf.conf 5
9567ecd4f3SMax Laierneeds the following rules.
9667ecd4f3SMax LaierThe anchors are mandatory.
9767ecd4f3SMax LaierAdjust the rules as needed for your configuration.
9867ecd4f3SMax Laier.Pp
9967ecd4f3SMax LaierIn the NAT section:
10067ecd4f3SMax Laier.Bd -literal -offset indent
10167ecd4f3SMax Laiernat on $ext_if from $int_if -\*(Gt ($ext_if:0)
10267ecd4f3SMax Laier
10367ecd4f3SMax Laierno nat on $ext_if to port tftp
10467ecd4f3SMax Laier
10567ecd4f3SMax Laierrdr-anchor "tftp-proxy/*"
10667ecd4f3SMax Laierrdr on $int_if proto udp from $lan to any port tftp -\*(Gt \e
10767ecd4f3SMax Laier    127.0.0.1 port 6969
10867ecd4f3SMax Laier.Ed
10967ecd4f3SMax Laier.Pp
11067ecd4f3SMax LaierIn the filter section, an anchor must be added to hold the pass rules:
11167ecd4f3SMax Laier.Bd -literal -offset indent
11267ecd4f3SMax Laieranchor "tftp-proxy/*"
11367ecd4f3SMax Laier.Ed
11467ecd4f3SMax Laier.Pp
11567ecd4f3SMax Laier.Xr inetd 8
11667ecd4f3SMax Laiermust be configured to spawn the proxy on the port that packets are
11767ecd4f3SMax Laierbeing forwarded to by
11867ecd4f3SMax Laier.Xr pf 4 .
11967ecd4f3SMax LaierAn example
12067ecd4f3SMax Laier.Xr inetd.conf 5
12167ecd4f3SMax Laierentry follows:
12267ecd4f3SMax Laier.Bd -literal -offset indent
12367ecd4f3SMax Laier127.0.0.1:6969	dgram	udp	wait	root \e
12467ecd4f3SMax Laier	/usr/libexec/tftp-proxy	tftp-proxy
12567ecd4f3SMax Laier.Ed
12667ecd4f3SMax Laier.Sh SEE ALSO
12767ecd4f3SMax Laier.Xr tftp 1 ,
12867ecd4f3SMax Laier.Xr pf 4 ,
12967ecd4f3SMax Laier.Xr pf.conf 5 ,
13067ecd4f3SMax Laier.Xr ftp-proxy 8 ,
13167ecd4f3SMax Laier.Xr inetd 8 ,
13267ecd4f3SMax Laier.Xr syslogd 8 ,
13367ecd4f3SMax Laier.Xr tftpd 8
13467ecd4f3SMax Laier.Sh CAVEATS
13567ecd4f3SMax Laier.Nm
13667ecd4f3SMax Laierchroots to
13767ecd4f3SMax Laier.Pa /var/empty
13867ecd4f3SMax Laierand changes to user
13967ecd4f3SMax Laier.Dq proxy
14067ecd4f3SMax Laierto drop privileges.
141