167ecd4f3SMax Laier.\" $OpenBSD: tftp-proxy.8,v 1.1 2005/12/28 19:07:07 jcs Exp $ 267ecd4f3SMax Laier.\" 367ecd4f3SMax Laier.\" Copyright (c) 2005 joshua stein <jcs@openbsd.org> 467ecd4f3SMax Laier.\" 567ecd4f3SMax Laier.\" Redistribution and use in source and binary forms, with or without 667ecd4f3SMax Laier.\" modification, are permitted provided that the following conditions 767ecd4f3SMax Laier.\" are met: 867ecd4f3SMax Laier.\" 967ecd4f3SMax Laier.\" 1. Redistributions of source code must retain the above copyright 1067ecd4f3SMax Laier.\" notice, this list of conditions and the following disclaimer. 1167ecd4f3SMax Laier.\" 2. Redistributions in binary form must reproduce the above copyright 1267ecd4f3SMax Laier.\" notice, this list of conditions and the following disclaimer in the 1367ecd4f3SMax Laier.\" documentation and/or other materials provided with the distribution. 1467ecd4f3SMax Laier.\" 3. The name of the author may not be used to endorse or promote products 1567ecd4f3SMax Laier.\" derived from this software without specific prior written permission. 1667ecd4f3SMax Laier.\" 1767ecd4f3SMax Laier.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 1867ecd4f3SMax Laier.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 1967ecd4f3SMax Laier.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 2067ecd4f3SMax Laier.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 2167ecd4f3SMax Laier.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 2267ecd4f3SMax Laier.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 2367ecd4f3SMax Laier.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 2467ecd4f3SMax Laier.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 2567ecd4f3SMax Laier.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 2667ecd4f3SMax Laier.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 2767ecd4f3SMax Laier.\" 2867ecd4f3SMax Laier.Dd November 28, 2005 2967ecd4f3SMax Laier.Dt TFTP-PROXY 8 3067ecd4f3SMax Laier.Os 3167ecd4f3SMax Laier.Sh NAME 3267ecd4f3SMax Laier.Nm tftp-proxy 3367ecd4f3SMax Laier.Nd Internet Trivial File Transfer Protocol proxy 3467ecd4f3SMax Laier.Sh SYNOPSIS 3567ecd4f3SMax Laier.Nm tftp-proxy 3667ecd4f3SMax Laier.Op Fl v 3767ecd4f3SMax Laier.Op Fl w Ar transwait 3867ecd4f3SMax Laier.Sh DESCRIPTION 3967ecd4f3SMax Laier.Nm 4067ecd4f3SMax Laieris a proxy for the Internet Trivial File Transfer Protocol invoked by 4167ecd4f3SMax Laierthe 4267ecd4f3SMax Laier.Xr inetd 8 4367ecd4f3SMax Laierinternet server. 4467ecd4f3SMax LaierTFTP connections should be redirected to the proxy using the 4567ecd4f3SMax Laier.Xr pf 4 4667ecd4f3SMax Laier.Ar rdr 4767ecd4f3SMax Laiercommand, after which the proxy connects to the server on behalf of 4867ecd4f3SMax Laierthe client. 4967ecd4f3SMax Laier.Pp 5067ecd4f3SMax LaierThe proxy establishes a 5167ecd4f3SMax Laier.Xr pf 4 5267ecd4f3SMax Laier.Ar rdr 5367ecd4f3SMax Laierrule using the 5467ecd4f3SMax Laier.Ar anchor 5567ecd4f3SMax Laierfacility to rewrite packets between the client and the server. 5667ecd4f3SMax LaierOnce the rule is established, 5767ecd4f3SMax Laier.Nm 5867ecd4f3SMax Laierforwards the initial request from the client to the server to begin the 5967ecd4f3SMax Laiertransfer. 6067ecd4f3SMax LaierAfter 6167ecd4f3SMax Laier.Ar transwait 6267ecd4f3SMax Laierseconds, the 6367ecd4f3SMax Laier.Xr pf 4 6467ecd4f3SMax LaierNAT state is assumed to have been established and the 6567ecd4f3SMax Laier.Ar rdr 6667ecd4f3SMax Laierrule is deleted and the program exits. 6767ecd4f3SMax LaierOnce the transfer between the client and the server is completed, the 6867ecd4f3SMax LaierNAT state will naturally expire. 6967ecd4f3SMax Laier.Pp 7067ecd4f3SMax LaierAssuming the TFTP command request is from $client to $server, the 7167ecd4f3SMax Laierproxy connected to the server using the $proxy source address, and 7267ecd4f3SMax Laier$port is negotiated, 7367ecd4f3SMax Laier.Nm 7467ecd4f3SMax Laieradds the following rule to the anchor: 7567ecd4f3SMax Laier.Bd -literal -offset indent 7667ecd4f3SMax Laierrdr proto udp from $server to $proxy port $port -\*(Gt $client 7767ecd4f3SMax Laier.Ed 7867ecd4f3SMax Laier.Pp 7967ecd4f3SMax LaierThe options are as follows: 8067ecd4f3SMax Laier.Bl -tag -width Ds 8167ecd4f3SMax Laier.It Fl v 8267ecd4f3SMax LaierLog the connection and request information to 8367ecd4f3SMax Laier.Xr syslogd 8 . 8467ecd4f3SMax Laier.It Fl w Ar transwait 8567ecd4f3SMax LaierNumber of seconds to wait for the data transmission to begin before 8667ecd4f3SMax Laierremoving the 8767ecd4f3SMax Laier.Xr pf 4 8867ecd4f3SMax Laier.Ar rdr 8967ecd4f3SMax Laierrule. 9067ecd4f3SMax LaierThe default is 2 seconds. 9167ecd4f3SMax Laier.El 9267ecd4f3SMax Laier.Sh CONFIGURATION 9367ecd4f3SMax LaierTo make use of the proxy, 9467ecd4f3SMax Laier.Xr pf.conf 5 9567ecd4f3SMax Laierneeds the following rules. 9667ecd4f3SMax LaierThe anchors are mandatory. 9767ecd4f3SMax LaierAdjust the rules as needed for your configuration. 9867ecd4f3SMax Laier.Pp 9967ecd4f3SMax LaierIn the NAT section: 10067ecd4f3SMax Laier.Bd -literal -offset indent 10167ecd4f3SMax Laiernat on $ext_if from $int_if -\*(Gt ($ext_if:0) 10267ecd4f3SMax Laier 10367ecd4f3SMax Laierno nat on $ext_if to port tftp 10467ecd4f3SMax Laier 10567ecd4f3SMax Laierrdr-anchor "tftp-proxy/*" 10667ecd4f3SMax Laierrdr on $int_if proto udp from $lan to any port tftp -\*(Gt \e 10767ecd4f3SMax Laier 127.0.0.1 port 6969 10867ecd4f3SMax Laier.Ed 10967ecd4f3SMax Laier.Pp 11067ecd4f3SMax LaierIn the filter section, an anchor must be added to hold the pass rules: 11167ecd4f3SMax Laier.Bd -literal -offset indent 11267ecd4f3SMax Laieranchor "tftp-proxy/*" 11367ecd4f3SMax Laier.Ed 11467ecd4f3SMax Laier.Pp 11567ecd4f3SMax Laier.Xr inetd 8 11667ecd4f3SMax Laiermust be configured to spawn the proxy on the port that packets are 11767ecd4f3SMax Laierbeing forwarded to by 11867ecd4f3SMax Laier.Xr pf 4 . 11967ecd4f3SMax LaierAn example 12067ecd4f3SMax Laier.Xr inetd.conf 5 12167ecd4f3SMax Laierentry follows: 12267ecd4f3SMax Laier.Bd -literal -offset indent 12367ecd4f3SMax Laier127.0.0.1:6969 dgram udp wait root \e 12467ecd4f3SMax Laier /usr/libexec/tftp-proxy tftp-proxy 12567ecd4f3SMax Laier.Ed 12667ecd4f3SMax Laier.Sh SEE ALSO 12767ecd4f3SMax Laier.Xr tftp 1 , 12867ecd4f3SMax Laier.Xr pf 4 , 12967ecd4f3SMax Laier.Xr pf.conf 5 , 13067ecd4f3SMax Laier.Xr ftp-proxy 8 , 13167ecd4f3SMax Laier.Xr inetd 8 , 13267ecd4f3SMax Laier.Xr syslogd 8 , 13367ecd4f3SMax Laier.Xr tftpd 8 13467ecd4f3SMax Laier.Sh CAVEATS 13567ecd4f3SMax Laier.Nm 13667ecd4f3SMax Laierchroots to 13767ecd4f3SMax Laier.Pa /var/empty 13867ecd4f3SMax Laierand changes to user 13967ecd4f3SMax Laier.Dq proxy 14067ecd4f3SMax Laierto drop privileges. 141