From owner-freebsd-pf@FreeBSD.ORG Sat Jul 17 21:20:12 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id EEF681065675 for ; Sat, 17 Jul 2010 21:20:11 +0000 (UTC) (envelope-from vchepkov@gmail.com) Received: from mail-vw0-f54.google.com (mail-vw0-f54.google.com [209.85.212.54]) by mx1.freebsd.org (Postfix) with ESMTP id A04878FC0A for ; Sat, 17 Jul 2010 21:20:11 +0000 (UTC) Received: by vws19 with SMTP id 19so4520553vws.13 for ; Sat, 17 Jul 2010 14:20:10 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:from:content-type :content-transfer-encoding:subject:date:message-id:to:mime-version :x-mailer; bh=NNpspQ0QUNKWjTgpt5LEpm2w8uUMnjh+ZXmiRcQR8I8=; b=EPmU3V7WTl+ddTBXOUQnFlyvmkoq2gv03KIQxdaDiYJXl4H4m9CqOgNV/4ozqWmuMd hQCUKjFwqiC0+85Y5e7FkWy9HRxaW3Dogy/7SYVRyfO6+fLgylKSWjNp22SjHQUEJ9N0 hxEzo5z0sbD+CzJIKeneCHLvfQN0p5vsDaD2s= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=from:content-type:content-transfer-encoding:subject:date:message-id :to:mime-version:x-mailer; b=uZEkeLQsUqBypq96FKBKJC0EdsjzzUkSMvDIE0mH4Z+fZqDVTxex90tMjCpWUaRMAI Lzx/O8RElhmwxSYuOuHgM5uxkaOu3Ql8iXGhppJwPQ59CkzsRdwXocDuFAvOU93H+m4+ oBHLxlln4xMVIM8/8Q8/9b+YtiXxMJciKL/ME= Received: by 10.220.121.210 with SMTP id i18mr1476694vcr.148.1279401610617; Sat, 17 Jul 2010 14:20:10 -0700 (PDT) Received: from vvcmac.videonext.lan (gateway.videonext.net [38.103.36.18]) by mx.google.com with ESMTPS id w31sm8504409vbs.15.2010.07.17.14.20.09 (version=SSLv3 cipher=RC4-MD5); Sat, 17 Jul 2010 14:20:09 -0700 (PDT) From: Vadym Chepkov Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Date: Sat, 17 Jul 2010 17:20:07 -0400 Message-Id: <51C5C59B-87B0-4E7E-A639-A0AFA5ED385B@gmail.com> To: freebsd-pf@FreeBSD.org Mime-Version: 1.0 (Apple Message framework v1081) X-Mailer: Apple Mail (2.1081) Cc: Subject: tftp-proxy X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 17 Jul 2010 21:20:12 -0000 Hi, I am unsuccessful in configuring tftp-proxy to work with my phones. This is my configuration involved: FreeBSD 7.3-RELEASE-p2 # cat /etc/pf.conf wan_if=3D"re0" phone_if=3D"em0" set debug urgent set optimization normal set block-policy return set timeout { udp.first 300, udp.single 150, udp.multiple 900 } set limit { states 20000, frags 20000 } set skip on lo0 scrub in nat on $wan_if from $phone_if -> $wan_if no nat on $wan_if to port tftp nat on $wan_if proto udp from $phone_if:network to any -> $wan_if = static-port nat on $wan_if from $phone_if:network to any -> $wan_if rdr-anchor "tftp-proxy/*" rdr on $phone_if proto udp from $phone_if:network to any port tftp -> = 127.0.0.1 port 6969 anchor "tftp-proxy/*" # grep tftp-proxy /etc/inetd.conf=20 tftp-proxy dgram udp wait root /usr/libexec/tftp-proxy = tftp-proxy -w 5 # grep tftp-proxy /etc/services=20 tftp-proxy 6969/udp # grep inetd /etc/rc.conf=20 inetd_enable=3D"YES" inetd_flags=3D"-a 127.0.0.1" I observe in the syslog the following message: Jul 17 16:37:11 spider tftp-proxy[4675]: pf connection lookup failed (no = rdr?) Jul 17 16:37:11 spider kernel: Jul 17 16:37:11 spider tftp-proxy[4675]: = pf connection lookup failed (no rdr?) Jul 17 16:37:11 spider inetd[4665]: /usr/libexec/tftp-proxy[4675]: = exited, status 1 tcpdump shows tftp reply packets are getting rejected, which I assume = means tftp-proxy is not expecting replies 17:07:19.135743 IP spider.57874 > 204.16.177.35.tftp: 32 RRQ = "SEPXXX.cnf.xml" octet=20 17:07:19.167369 IP 204.16.177.35.tftp > spider.57874: 516 DATA block 1 17:07:20.596097 IP 204.16.177.35.tftp > spider.57874: 516 DATA block 1 17:07:21.596652 IP 204.16.177.35.tftp > spider.57874: 516 DATA block 1 17:07:22.597755 IP 204.16.177.35.tftp > spider.57874: 516 DATA block 1 17:07:24.142580 IP spider.58998 > 204.16.177.35.tftp: 32 RRQ = "SEPXXX.cnf.xml" octet=20 17:07:24.242006 IP 204.16.177.35.tftp > spider.57874: 516 DATA block 1 17:07:24.242036 IP spider > 204.16.177.35: ICMP spider udp port 57874 = unreachable, length 36 17:07:24.242465 IP 204.16.177.35.tftp > spider.58998: 516 DATA block 1 17:07:25.243154 IP 204.16.177.35.tftp > spider.57874: 516 DATA block 1 17:07:25.243203 IP spider > 204.16.177.35: ICMP spider udp port 57874 = unreachable, length 36 17:07:25.243213 IP 204.16.177.35.tftp > spider.58998: 516 DATA block 1 17:07:26.244089 IP 204.16.177.35.tftp > spider.57874: 516 DATA block 1 17:07:26.244121 IP spider > 204.16.177.35: ICMP spider udp port 57874 = unreachable, length 36 17:07:26.244281 IP 204.16.177.35.tftp > spider.58998: 516 DATA block 1 17:07:27.245051 IP 204.16.177.35.tftp > spider.57874: 516 DATA block 1 17:07:27.245091 IP spider > 204.16.177.35: ICMP spider udp port 57874 = unreachable, length 36 17:07:27.245409 IP 204.16.177.35.tftp > spider.58998: 516 DATA block 1 17:07:28.246205 IP 204.16.177.35.tftp > spider.57874: 516 DATA block 1 17:07:28.246246 IP spider > 204.16.177.35: ICMP spider udp port 57874 = unreachable, length 36 17:07:28.246292 IP 204.16.177.35.tftp > spider.58998: 516 DATA block 1 Not sure what I did wrong. The manual page of tftp-proxy has wrong entry = for inetd.conf, it has illegal syntax for FreeBSD's inetd,=20 maybe some other nuance was lost during migration from OpenBSD? Thank you, Sincerely, Vadym Chepkov