TFTP proxy for PF

Contributed by jolan on 2005-12-05 from the if-its-trivial-why-does-it-need-a-proxy dept.

jcs@ has announced that he has written a TFTP proxy for PF which is based upon the code from camield@'s improved ftp-proxy implementation. The current version as of this writing is 1.4 which may be found here. It works for jcs@, but he has not received any independent reports of failures/successes, so if you try it out please let him know.

(Comments are closed)

Comments

By Anonymous Coward (69.70.207.240) on 2005-12-05 20:55

Cool! Will this be imported too?
Comments
1. By Anonymous Coward (68.106.232.57) on 2005-12-07 04:43
  
  Probably hard to tell without some time for testing and auditing, perhaps?
  Comments
  1. By Anonymous Coward (193.63.217.208) on 2005-12-07 10:35
    
    My response would have been, "If Theo decides it's useful to him or some of the core devs then, yes." Once that decision is made testing and auditing will happen.
2. By Anonymous Coward (212.123.1.149) on 2005-12-07 17:55
  
  Depends on where you are living :-P
3. By Jason houx (216.201.34.104) on 2005-12-10 19:56
  
  Well I really hope it passes rigorous security audits that Theo@ and gang will put this through. With all the power found in PF and OpenBSD this seems like a welcome addition to support a legacy protocol like tftp that is still around. The use of VoIP phones that boot via tftp is probably the latests example of the need for this function. I am sure vendors will not get smart and start using something like scp to grab files for some time as they need a very light weight protocol to download files and with video phones on the horizon I assume tftp will be the protocol of choice for some time.
  
  I'm a keeping my fingers crossed. ;-)
  Comments
  1. By Anonymous Coward (24.46.21.229) on 2005-12-14 12:34
    
    with the little tiny crap systems that they stick into most of the low-end phones, it's no suprise that they do not use 'heavy' protocols like scp. Most of the phones out there don't even have the equivalent of a low end x86 (such as i286) because all they need to do is boot quickly & work. tftp is an incredidbly easy protocol to use & implement, and it doesn't require huge amounts of mathematics like scp does.
By Anonymous Coward (193.167.7.12) on 2005-12-10 10:34

Can you explain what you use this for? I have used TFTP to install servers over network. But in that case the servers were in the same broadcast domain with the install server and the was no need for a proxy.
Comments
1. By Anonymous Coward (216.135.89.5) on 2005-12-10 19:42
  
  Its useful for firewalls... Think of phones that need to tftp their configuration, etc.
2. By Jason Houx (216.201.34.104) on 2005-12-10 19:46
  
  This is great - I actually had a private email thread with Henning@ a few months back about the lack of a tftp"like"-proxy for openbsd as I have a voip phone through work that boots and downloads things like Ringers/NewFirmware. I could host them all locally on my network but at that time was trying to figure out why it didn't work. Turns out after some debugs and reading the RFC (per Hennings request) that tftp works much like ftp in it was not written with security in mind and gets manged when running through nat. Linux has a function in iptables which I took quite a beating from our linux guys at work that got their voip phones to work behind their nat firwalls. In the end I just setup a ipsec tunnel to work because our NOC firewall is running OpenBSD ;-)
  
  But to get to your question - if you have a nat gateway that doesn't support a tftp fixup (Cisco, Linux) you will have a lot of problems with tftp. This will fix that problem.
3. By scarynetworkguy (12.18.141.172) on 2005-12-13 17:30
  
  I can think of at least a couple of situations where this could be useful for updating routers.
By David (87.1.218.182) david@bsdgeek.it on 2005-12-13 15:31

Is this DLS (jcs' employer) "Hosted PBX" a solution based on Asterisk and OpenBSD?
Comments
1. By Brad (216.138.195.228) brad at comstyle dot com on 2005-12-13 22:54
  
  Hrmm. This doesn't look like a DLS support forum. Why not enquire with DLS instead of wasting time here?
  Comments
  1. By David (82.53.151.176) david@bsdgeek.it on 2005-12-14 11:44
    
    As stated here, pf+tftp-proxy is used to protect their pbx system, so I was asking if the pbx too is OpenBSB based. It's just curiosity!
By Kevin Kadow (24.148.72.216) openbsd@msg.net on 2005-12-14 03:18

This has some interesting potential, particularly as additional functionality is added. For example consider a proxy which only permits TFTP downloads (WRQ is denied), which validates protocol compliance to protect against attacks against the server (or the client), which rewrites filenames, or even modifies the file itself in transit!

The "Practical Paranoid" values an application proxy for even the most primitive protocols, and if any protocols qualifies as primitive, TFTP would be that protocol.

Latest Articles

Wed, Apr 10
- 18:50 OpenSMTPD 7.5.0p0 Released (2)
Tue, Apr 09
- 04:49 20 years since "and we're just starting": undeadly.org turns 20 (2024-04-09) (12)
Fri, Apr 05
- 06:16 OpenBSD 7.5 released (2)
Thu, Mar 28
- 18:18 LibreSSL 3.8.4 and 3.9.1 released (0)
Tue, Mar 12
- 06:53 OpenSSH 9.7/9.7p1 released! (0)
Mon, Mar 11
- 11:28 Game of Trees 0.97 released (0)
Sun, Mar 10
- 09:06 LibreSSL versions 3.8.3 and 3.9.0 released (0)
Fri, Mar 08
- 06:46 OpenBGPD 8.4 released (0)
Mon, Mar 04
- 06:32 rpki-client 9.0 released (0)

Credits

Copyright © 2004-2008 Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to April 2nd 2004 as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]