From owner-freebsd-pf@FreeBSD.ORG Sat Jul 24 03:51:14 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 229871065675 for ; Sat, 24 Jul 2010 03:51:14 +0000 (UTC) (envelope-from vchepkov@gmail.com) Received: from mail-qy0-f175.google.com (mail-qy0-f175.google.com [209.85.216.175]) by mx1.freebsd.org (Postfix) with ESMTP id C56978FC12 for ; Sat, 24 Jul 2010 03:51:13 +0000 (UTC) Received: by qyk31 with SMTP id 31so799494qyk.13 for ; Fri, 23 Jul 2010 20:51:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:content-type:mime-version :subject:from:in-reply-to:date:content-transfer-encoding:message-id :references:to:x-mailer; bh=LX1aFs8Q9ReYRvf3tXgwsr1dbH6NLh/XTSf7+NmlJII=; b=kEY3hoC/Ck8QotLm8ix+BX+nrYt7GJB2U+QNbLY6MJvWqrLud4KBZ+xgoTes05x03J HRNQrcjYW2EEToDiYSXNPoVVs+aKyjNOlPGndkw/+Pdmr3ouaPQNBgsO7qQfULg7n5qM QSp8UymqGMT/l+SzDaofGTdsAO3OCCNFubds8= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=content-type:mime-version:subject:from:in-reply-to:date :content-transfer-encoding:message-id:references:to:x-mailer; b=PLryB7aIY9g96rJ7tVCPvAgGb6wnWvYKLW5aqVjtM5ZP3AyyAOL85a0ZgjKJm97Kif E/rkyK+YspFDkTNNikTngI3tnRDWC6tUOtaEXZfaVeOWWs93FxWlhECifRO2kdgdb63V T91zu9JN9/cQmtpm+pbr4IB+eXLaiejGS4C3w= Received: by 10.224.80.2 with SMTP id r2mr3313171qak.380.1279943472202; Fri, 23 Jul 2010 20:51:12 -0700 (PDT) Received: from vvcmac.chepkov.lan (pool-173-71-214-20.clppva.fios.verizon.net [173.71.214.20]) by mx.google.com with ESMTPS id h41sm1120372qcz.13.2010.07.23.20.51.10 (version=SSLv3 cipher=RC4-MD5); Fri, 23 Jul 2010 20:51:10 -0700 (PDT) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Apple Message framework v1081) From: Vadym Chepkov In-Reply-To: <51C5C59B-87B0-4E7E-A639-A0AFA5ED385B@gmail.com> Date: Fri, 23 Jul 2010 23:51:09 -0400 Content-Transfer-Encoding: quoted-printable Message-Id: <15958458-2B78-4CED-9AAE-97EE1200D30A@gmail.com> References: <51C5C59B-87B0-4E7E-A639-A0AFA5ED385B@gmail.com> To: freebsd-pf@FreeBSD.org X-Mailer: Apple Mail (2.1081) Cc: Subject: Re: tftp-proxy X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 24 Jul 2010 03:51:14 -0000 On Jul 17, 2010, at 5:20 PM, Vadym Chepkov wrote: > Hi, >=20 > I am unsuccessful in configuring tftp-proxy to work with my phones. > This is my configuration involved: >=20 > FreeBSD 7.3-RELEASE-p2 >=20 > # cat /etc/pf.conf > wan_if=3D"re0" > phone_if=3D"em0" >=20 > set debug urgent > set optimization normal > set block-policy return > set timeout { udp.first 300, udp.single 150, udp.multiple 900 } > set limit { states 20000, frags 20000 } > set skip on lo0 > scrub in >=20 > nat on $wan_if from $phone_if -> $wan_if > no nat on $wan_if to port tftp > nat on $wan_if proto udp from $phone_if:network to any -> $wan_if = static-port > nat on $wan_if from $phone_if:network to any -> $wan_if >=20 > rdr-anchor "tftp-proxy/*" > rdr on $phone_if proto udp from $phone_if:network to any port tftp -> = 127.0.0.1 port 6969 >=20 > anchor "tftp-proxy/*" >=20 > # grep tftp-proxy /etc/inetd.conf=20 > tftp-proxy dgram udp wait root /usr/libexec/tftp-proxy = tftp-proxy -w 5 >=20 > # grep tftp-proxy /etc/services=20 > tftp-proxy 6969/udp >=20 > # grep inetd /etc/rc.conf=20 > inetd_enable=3D"YES" > inetd_flags=3D"-a 127.0.0.1" >=20 > I observe in the syslog the following message: > Jul 17 16:37:11 spider tftp-proxy[4675]: pf connection lookup failed = (no rdr?) > Jul 17 16:37:11 spider kernel: Jul 17 16:37:11 spider = tftp-proxy[4675]: pf connection lookup failed (no rdr?) > Jul 17 16:37:11 spider inetd[4665]: /usr/libexec/tftp-proxy[4675]: = exited, status 1 >=20 > tcpdump shows tftp reply packets are getting rejected, which I assume = means tftp-proxy is not expecting replies >=20 > 17:07:19.135743 IP spider.57874 > 204.16.177.35.tftp: 32 RRQ = "SEPXXX.cnf.xml" octet=20 > 17:07:19.167369 IP 204.16.177.35.tftp > spider.57874: 516 DATA block = 1 > 17:07:20.596097 IP 204.16.177.35.tftp > spider.57874: 516 DATA block = 1 > 17:07:21.596652 IP 204.16.177.35.tftp > spider.57874: 516 DATA block = 1 > 17:07:22.597755 IP 204.16.177.35.tftp > spider.57874: 516 DATA block = 1 > 17:07:24.142580 IP spider.58998 > 204.16.177.35.tftp: 32 RRQ = "SEPXXX.cnf.xml" octet=20 > 17:07:24.242006 IP 204.16.177.35.tftp > spider.57874: 516 DATA block = 1 > 17:07:24.242036 IP spider > 204.16.177.35: ICMP spider udp port 57874 = unreachable, length 36 > 17:07:24.242465 IP 204.16.177.35.tftp > spider.58998: 516 DATA block = 1 > 17:07:25.243154 IP 204.16.177.35.tftp > spider.57874: 516 DATA block = 1 > 17:07:25.243203 IP spider > 204.16.177.35: ICMP spider udp port 57874 = unreachable, length 36 > 17:07:25.243213 IP 204.16.177.35.tftp > spider.58998: 516 DATA block = 1 > 17:07:26.244089 IP 204.16.177.35.tftp > spider.57874: 516 DATA block = 1 > 17:07:26.244121 IP spider > 204.16.177.35: ICMP spider udp port 57874 = unreachable, length 36 > 17:07:26.244281 IP 204.16.177.35.tftp > spider.58998: 516 DATA block = 1 > 17:07:27.245051 IP 204.16.177.35.tftp > spider.57874: 516 DATA block = 1 > 17:07:27.245091 IP spider > 204.16.177.35: ICMP spider udp port 57874 = unreachable, length 36 > 17:07:27.245409 IP 204.16.177.35.tftp > spider.58998: 516 DATA block = 1 > 17:07:28.246205 IP 204.16.177.35.tftp > spider.57874: 516 DATA block = 1 > 17:07:28.246246 IP spider > 204.16.177.35: ICMP spider udp port 57874 = unreachable, length 36 > 17:07:28.246292 IP 204.16.177.35.tftp > spider.58998: 516 DATA block = 1 >=20 > Not sure what I did wrong. The manual page of tftp-proxy has wrong = entry for inetd.conf, it has illegal syntax for FreeBSD's inetd,=20 > maybe some other nuance was lost during migration from OpenBSD? It seems I found the problem. tftp server in question answers not from = an ephemeral port, but in firewall friendly manner from tftp port. I assume this somehow breaks tftp-proxy logic though. I removed tftp = specifics rules completely and now all works fine. Sometimes less is = more. Vadym