1.\" $OpenBSD: tftp-proxy.8,v 1.2 2012/10/06 07:12:11 jmc Exp $ 2.\" 3.\" Copyright (c) 2005 joshua stein <jcs@openbsd.org> 4.\" 5.\" Redistribution and use in source and binary forms, with or without 6.\" modification, are permitted provided that the following conditions 7.\" are met: 8.\" 9.\" 1. Redistributions of source code must retain the above copyright 10.\" notice, this list of conditions and the following disclaimer. 11.\" 2. Redistributions in binary form must reproduce the above copyright 12.\" notice, this list of conditions and the following disclaimer in the 13.\" documentation and/or other materials provided with the distribution. 14.\" 3. The name of the author may not be used to endorse or promote products 15.\" derived from this software without specific prior written permission. 16.\" 17.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 18.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 19.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 20.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 21.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 22.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 23.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 24.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 25.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 26.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 27.\" 28.Dd $Mdocdate: October 6 2012 $ 29.Dt TFTP-PROXY 8 30.Os 31.Sh NAME 32.Nm tftp-proxy 33.Nd Internet Trivial File Transfer Protocol proxy 34.Sh SYNOPSIS 35.Nm tftp-proxy 36.Op Fl 46dv 37.Op Fl l Ar address 38.Op Fl p Ar port 39.Op Fl w Ar transwait 40.Sh DESCRIPTION 41.Nm 42is a proxy for the Internet Trivial File Transfer Protocol. 43TFTP connections should be redirected to the proxy using a 44.Xr pf 4 45rule using the 46.Ar divert-to 47option, after which the proxy connects to the server on behalf of 48the client. 49The connection from the proxy to the server needs to be passed by 50a rule with divert-reply set. 51.Pp 52The proxy inserts 53.Xr pf 4 54pass rules using the 55.Ar anchor 56facility to allow payload packets between the client and the server. 57Once the rules are inserted, 58.Nm 59forwards the initial request from the client to the server to begin the 60transfer. 61After 62.Ar transwait 63seconds, the states are assumed to have been established and the 64.Xr pf 4 65rules are deleted and the program exits. 66Once the transfer between the client and the server is completed the 67states will naturally expire. 68.Pp 69The options are as follows: 70.Bl -tag -width Ds 71.It Fl 4 72Forces 73.Nm 74to use IPv4 addresses only. 75.It Fl 6 76Forces 77.Nm 78to use IPv6 addresses only. 79.It Fl d 80Do not daemonize. 81If this option is specified, 82.Nm 83will run in the foreground and log 84the client IP, type of request, and filename to stderr. 85.It Fl l Ar address 86Listen on the specified address. 87By default 88.Nm 89listens on wildcard addresses. 90.It Fl p Ar port 91Listen on the specified port. 92By default 93.Nm 94listens on port 6969. 95.It Fl v 96Log the connection and request information to 97.Xr syslogd 8 . 98.It Fl w Ar transwait 99Number of seconds to wait for the data transmission to begin before 100removing the 101.Xr pf 4 102rule. 103The default is 2 seconds. 104.El 105.Sh CONFIGURATION 106To make use of the proxy, 107.Xr pf.conf 5 108needs the following rules. 109The anchor is mandatory. 110Adjust the rule as needed for your configuration. 111.Bd -literal -offset indent 112anchor "tftp-proxy/*" 113pass in quick on $int_if inet proto udp from $lan to port tftp \e 114 divert-to 127.0.0.1 port 6969 115pass out quick on $ext_if inet proto udp from $lan to port tftp \e 116 group proxy divert-reply 117.Ed 118.Sh SEE ALSO 119.Xr tftp 1 , 120.Xr pf 4 , 121.Xr pf.conf 5 , 122.Xr ftp-proxy 8 , 123.Xr syslogd 8 , 124.Xr tftpd 8 125.Sh CAVEATS 126.Nm 127chroots to 128.Pa /var/empty 129and changes to user 130.Dq proxy 131to drop privileges. 132