From owner-freebsd-pf@FreeBSD.ORG  Sat Jul 24 03:51:14 2010
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 229871065675
	for <freebsd-pf@freebsd.org>; Sat, 24 Jul 2010 03:51:14 +0000 (UTC)
	(envelope-from vchepkov@gmail.com)
Received: from mail-qy0-f175.google.com (mail-qy0-f175.google.com
	[209.85.216.175])
	by mx1.freebsd.org (Postfix) with ESMTP id C56978FC12
	for <freebsd-pf@freebsd.org>; Sat, 24 Jul 2010 03:51:13 +0000 (UTC)
Received: by qyk31 with SMTP id 31so799494qyk.13
	for <freebsd-pf@freebsd.org>; Fri, 23 Jul 2010 20:51:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma;
	h=domainkey-signature:received:received:content-type:mime-version
	:subject:from:in-reply-to:date:content-transfer-encoding:message-id
	:references:to:x-mailer;
	bh=LX1aFs8Q9ReYRvf3tXgwsr1dbH6NLh/XTSf7+NmlJII=;
	b=kEY3hoC/Ck8QotLm8ix+BX+nrYt7GJB2U+QNbLY6MJvWqrLud4KBZ+xgoTes05x03J
	HRNQrcjYW2EEToDiYSXNPoVVs+aKyjNOlPGndkw/+Pdmr3ouaPQNBgsO7qQfULg7n5qM
	QSp8UymqGMT/l+SzDaofGTdsAO3OCCNFubds8=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma;
	h=content-type:mime-version:subject:from:in-reply-to:date
	:content-transfer-encoding:message-id:references:to:x-mailer;
	b=PLryB7aIY9g96rJ7tVCPvAgGb6wnWvYKLW5aqVjtM5ZP3AyyAOL85a0ZgjKJm97Kif
	E/rkyK+YspFDkTNNikTngI3tnRDWC6tUOtaEXZfaVeOWWs93FxWlhECifRO2kdgdb63V
	T91zu9JN9/cQmtpm+pbr4IB+eXLaiejGS4C3w=
Received: by 10.224.80.2 with SMTP id r2mr3313171qak.380.1279943472202;
	Fri, 23 Jul 2010 20:51:12 -0700 (PDT)
Received: from vvcmac.chepkov.lan (pool-173-71-214-20.clppva.fios.verizon.net
	[173.71.214.20])
	by mx.google.com with ESMTPS id h41sm1120372qcz.13.2010.07.23.20.51.10
	(version=SSLv3 cipher=RC4-MD5); Fri, 23 Jul 2010 20:51:10 -0700 (PDT)
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Apple Message framework v1081)
From: Vadym Chepkov <vchepkov@gmail.com>
In-Reply-To: <51C5C59B-87B0-4E7E-A639-A0AFA5ED385B@gmail.com>
Date: Fri, 23 Jul 2010 23:51:09 -0400
Content-Transfer-Encoding: quoted-printable
Message-Id: <15958458-2B78-4CED-9AAE-97EE1200D30A@gmail.com>
References: <51C5C59B-87B0-4E7E-A639-A0AFA5ED385B@gmail.com>
To: freebsd-pf@FreeBSD.org
X-Mailer: Apple Mail (2.1081)
Cc: 
Subject: Re: tftp-proxy
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 24 Jul 2010 03:51:14 -0000


On Jul 17, 2010, at 5:20 PM, Vadym Chepkov wrote:

> Hi,
>=20
> I am unsuccessful in configuring tftp-proxy to work with my phones.
> This is my configuration involved:
>=20
> FreeBSD 7.3-RELEASE-p2
>=20
> # cat /etc/pf.conf
> wan_if=3D"re0"
> phone_if=3D"em0"
>=20
> set debug urgent
> set optimization normal
> set block-policy return
> set timeout { udp.first 300, udp.single 150, udp.multiple 900 }
> set limit { states 20000, frags 20000 }
> set skip on lo0
> scrub in
>=20
> nat on $wan_if from $phone_if -> $wan_if
> no nat on $wan_if to port tftp
> nat on $wan_if proto udp from $phone_if:network to any -> $wan_if =
static-port
> nat on $wan_if from $phone_if:network to any -> $wan_if
>=20
> rdr-anchor "tftp-proxy/*"
> rdr on $phone_if proto udp from $phone_if:network to any port tftp -> =
127.0.0.1 port 6969
>=20
> anchor "tftp-proxy/*"
>=20
> # grep tftp-proxy /etc/inetd.conf=20
> tftp-proxy	dgram   udp     wait    root	/usr/libexec/tftp-proxy =
tftp-proxy -w 5
>=20
> # grep tftp-proxy /etc/services=20
> tftp-proxy	6969/udp
>=20
> # grep inetd /etc/rc.conf=20
> inetd_enable=3D"YES"
> inetd_flags=3D"-a 127.0.0.1"
>=20
> I observe in the syslog the following message:
> Jul 17 16:37:11 spider tftp-proxy[4675]: pf connection lookup failed =
(no rdr?)
> Jul 17 16:37:11 spider kernel: Jul 17 16:37:11 spider =
tftp-proxy[4675]: pf connection lookup failed (no rdr?)
> Jul 17 16:37:11 spider inetd[4665]: /usr/libexec/tftp-proxy[4675]: =
exited, status 1
>=20
> tcpdump shows tftp reply packets are getting rejected, which I assume =
means tftp-proxy is not expecting replies
>=20
> 17:07:19.135743 IP spider.57874 > 204.16.177.35.tftp:  32 RRQ =
"SEPXXX.cnf.xml" octet=20
> 17:07:19.167369 IP 204.16.177.35.tftp > spider.57874:  516 DATA block =
1
> 17:07:20.596097 IP 204.16.177.35.tftp > spider.57874:  516 DATA block =
1
> 17:07:21.596652 IP 204.16.177.35.tftp > spider.57874:  516 DATA block =
1
> 17:07:22.597755 IP 204.16.177.35.tftp > spider.57874:  516 DATA block =
1
> 17:07:24.142580 IP spider.58998 > 204.16.177.35.tftp:  32 RRQ =
"SEPXXX.cnf.xml" octet=20
> 17:07:24.242006 IP 204.16.177.35.tftp > spider.57874:  516 DATA block =
1
> 17:07:24.242036 IP spider > 204.16.177.35: ICMP spider udp port 57874 =
unreachable, length 36
> 17:07:24.242465 IP 204.16.177.35.tftp > spider.58998:  516 DATA block =
1
> 17:07:25.243154 IP 204.16.177.35.tftp > spider.57874:  516 DATA block =
1
> 17:07:25.243203 IP spider  > 204.16.177.35: ICMP spider udp port 57874 =
unreachable, length 36
> 17:07:25.243213 IP 204.16.177.35.tftp > spider.58998:  516 DATA block =
1
> 17:07:26.244089 IP 204.16.177.35.tftp > spider.57874:  516 DATA block =
1
> 17:07:26.244121 IP spider > 204.16.177.35: ICMP spider udp port 57874 =
unreachable, length 36
> 17:07:26.244281 IP 204.16.177.35.tftp > spider.58998:  516 DATA block =
1
> 17:07:27.245051 IP 204.16.177.35.tftp > spider.57874:  516 DATA block =
1
> 17:07:27.245091 IP spider > 204.16.177.35: ICMP spider udp port 57874 =
unreachable, length 36
> 17:07:27.245409 IP 204.16.177.35.tftp > spider.58998:  516 DATA block =
1
> 17:07:28.246205 IP 204.16.177.35.tftp > spider.57874:  516 DATA block =
1
> 17:07:28.246246 IP spider > 204.16.177.35: ICMP spider udp port 57874 =
unreachable, length 36
> 17:07:28.246292 IP 204.16.177.35.tftp > spider.58998:  516 DATA block =
1
>=20
> Not sure what I did wrong. The manual page of tftp-proxy has wrong =
entry for inetd.conf, it has illegal syntax for FreeBSD's inetd,=20
> maybe some other nuance was lost during migration from OpenBSD?


It seems I found the problem. tftp server in question answers not from =
an ephemeral port, but in firewall friendly manner from tftp port.
I assume this somehow breaks tftp-proxy logic though. I removed tftp =
specifics rules completely and now all works fine. Sometimes less is =
more.

Vadym