1.\" $OpenBSD: tftp-proxy.8,v 1.1 2005/12/28 19:07:07 jcs Exp $ 2.\" 3.\" Copyright (c) 2005 joshua stein <jcs@openbsd.org> 4.\" 5.\" Redistribution and use in source and binary forms, with or without 6.\" modification, are permitted provided that the following conditions 7.\" are met: 8.\" 9.\" 1. Redistributions of source code must retain the above copyright 10.\" notice, this list of conditions and the following disclaimer. 11.\" 2. Redistributions in binary form must reproduce the above copyright 12.\" notice, this list of conditions and the following disclaimer in the 13.\" documentation and/or other materials provided with the distribution. 14.\" 3. The name of the author may not be used to endorse or promote products 15.\" derived from this software without specific prior written permission. 16.\" 17.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 18.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 19.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 20.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 21.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 22.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 23.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 24.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 25.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 26.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 27.\" 28.Dd November 28, 2005 29.Dt TFTP-PROXY 8 30.Os 31.Sh NAME 32.Nm tftp-proxy 33.Nd Internet Trivial File Transfer Protocol proxy 34.Sh SYNOPSIS 35.Nm tftp-proxy 36.Op Fl v 37.Op Fl w Ar transwait 38.Sh DESCRIPTION 39.Nm 40is a proxy for the Internet Trivial File Transfer Protocol invoked by 41the 42.Xr inetd 8 43internet server. 44TFTP connections should be redirected to the proxy using the 45.Xr pf 4 46.Ar rdr 47command, after which the proxy connects to the server on behalf of 48the client. 49.Pp 50The proxy establishes a 51.Xr pf 4 52.Ar rdr 53rule using the 54.Ar anchor 55facility to rewrite packets between the client and the server. 56Once the rule is established, 57.Nm 58forwards the initial request from the client to the server to begin the 59transfer. 60After 61.Ar transwait 62seconds, the 63.Xr pf 4 64NAT state is assumed to have been established and the 65.Ar rdr 66rule is deleted and the program exits. 67Once the transfer between the client and the server is completed, the 68NAT state will naturally expire. 69.Pp 70Assuming the TFTP command request is from $client to $server, the 71proxy connected to the server using the $proxy source address, and 72$port is negotiated, 73.Nm 74adds the following rule to the anchor: 75.Bd -literal -offset indent 76rdr proto udp from $server to $proxy port $port -\*(Gt $client 77.Ed 78.Pp 79The options are as follows: 80.Bl -tag -width Ds 81.It Fl v 82Log the connection and request information to 83.Xr syslogd 8 . 84.It Fl w Ar transwait 85Number of seconds to wait for the data transmission to begin before 86removing the 87.Xr pf 4 88.Ar rdr 89rule. 90The default is 2 seconds. 91.El 92.Sh CONFIGURATION 93To make use of the proxy, 94.Xr pf.conf 5 95needs the following rules. 96The anchors are mandatory. 97Adjust the rules as needed for your configuration. 98.Pp 99In the NAT section: 100.Bd -literal -offset indent 101nat on $ext_if from $int_if -\*(Gt ($ext_if:0) 102 103no nat on $ext_if to port tftp 104 105rdr-anchor "tftp-proxy/*" 106rdr on $int_if proto udp from $lan to any port tftp -\*(Gt \e 107 127.0.0.1 port 6969 108.Ed 109.Pp 110In the filter section, an anchor must be added to hold the pass rules: 111.Bd -literal -offset indent 112anchor "tftp-proxy/*" 113.Ed 114.Pp 115.Xr inetd 8 116must be configured to spawn the proxy on the port that packets are 117being forwarded to by 118.Xr pf 4 . 119An example 120.Xr inetd.conf 5 121entry follows: 122.Bd -literal -offset indent 123127.0.0.1:6969 dgram udp wait root \e 124 /usr/libexec/tftp-proxy tftp-proxy 125.Ed 126.Sh SEE ALSO 127.Xr tftp 1 , 128.Xr pf 4 , 129.Xr pf.conf 5 , 130.Xr ftp-proxy 8 , 131.Xr inetd 8 , 132.Xr syslogd 8 , 133.Xr tftpd 8 134.Sh CAVEATS 135.Nm 136chroots to 137.Pa /var/empty 138and changes to user 139.Dq proxy 140to drop privileges. 141