NAME
tftp-proxy —
Internet Trivial File
Transfer Protocol proxy
SYNOPSIS
tftp-proxy |
[-v]
[-w
transwait] |
DESCRIPTION
tftp-proxy is a proxy for the Internet Trivial File Transfer
Protocol invoked by the
inetd(8)
internet server. TFTP connections should be redirected to the proxy using the
pf(4) rdr
command, after which the proxy connects to the server on behalf of the client.
The proxy establishes a
pf(4)
rdr rule using the
anchor facility
to rewrite packets between the client and the server. Once the rule is
established,
tftp-proxy forwards the initial request from
the client to the server to begin the transfer. After
transwait seconds, the
pf(4) NAT state is assumed to have
been established and the
rdr rule is deleted and the
program exits. Once the transfer between the client and the server is
completed, the NAT state will naturally expire.
Assuming the TFTP command request is from $client to $server, the proxy
connected to the server using the $proxy source address, and $port is
negotiated,
tftp-proxy adds the following rule to the
anchor:
rdr proto udp from $server to $proxy port $port -> $client
The options are as follows:
-
-
- -v
- Log the connection and request information to
syslogd(8).
-
-
- -w
transwait
- Number of seconds to wait for the data transmission to
begin before removing the pf(4)
rdr rule. The default is 2 seconds.
CONFIGURATION
To make use of the proxy,
pf.conf(5) needs the following
rules. The anchors are mandatory. Adjust the rules as needed for your
configuration.
In the NAT section:
nat on $ext_if from $int_if -> ($ext_if:0)
no nat on $ext_if to port tftp
rdr-anchor "tftp-proxy/*"
rdr on $int_if proto udp from $lan to any port tftp -> \
127.0.0.1 port 6969
In the filter section, an anchor must be added to hold the pass rules:
inetd(8) must be configured to
spawn the proxy on the port that packets are being forwarded to by
pf(4). An example
inetd.conf(5) entry follows:
127.0.0.1:6969 dgram udp wait root \
/usr/libexec/tftp-proxy tftp-proxy
SEE ALSO
tftp(1),
pf(4),
pf.conf(5),
ftp-proxy(8),
inetd(8),
syslogd(8),
tftpd(8)
CAVEATS
tftp-proxy chroots to
/var/chroot/tftp-proxy
and changes to user “_proxy” to drop privileges.