Troubleshooting tftp-proxy in OpenBSD pf
Finally figured out OpenBSD firewall configuration in which internal hosts can access TFTP servers on the internet. In OpenBSD pf firewall, you need to configure tftp-proxy. Google search returns a lot of complaints about tftp-proxy not working and not a single success story. I now believe there is a typo in the official manual.
The OpenBSD FAQ for TFTP proxy specifies the following redirect rule to redirect outgoing tftp connections to the internal tftp-proxy.
rdr pass log on $int_if proto udp from $int_if to port tftp -> 127.0.0.1 port 6969However, according to "pfctl -g -s nat|grep tftp", my pf expands the rule above to the following.
rdr pass log on xl0 inet proto udp from 192.168.2.1 to any port = tftp -> 127.0.0.1 port 6969It's clear that the expanded rule will will not redirect traffic coming from all of the internal hosts. The rule needs to be changed to
rdr pass log on $int_if proto udp from $int_net to any port tftp -> 127.0.0.1 port 6969which expands to
rdr pass log on xl0 inet proto udp from 192.168.2.0/24 to any port = tftp -> 127.0.0.1 port 6969The latter covers the whole internal network instead of just one host 192.168.2.1.
 

No comments:
Post a Comment