Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

TFTP transfer fails #1810

Closed
kavi0208 opened this issue Sep 8, 2017 · 12 comments
Closed

TFTP transfer fails #1810

kavi0208 opened this issue Sep 8, 2017 · 12 comments

Comments

@kavi0208
Copy link

kavi0208 commented Sep 8, 2017

Hello,

TFTP transfer fails when going through OPNsense. It seems like tftp-helper is missing as initial communication with port 69 succeeds but transfer which uses high ports fails.

On freebsd there is tftp-proxy which helps overcome this problem.

On opnsense repo haven't seen it there is only ftp-proxy.

Any help on this please?

Thanks.

Regards,
Kaviraj
@AdSchellevis
Copy link
Member

tftp-proxy itself is part of the base system (/usr/libexec/tftp-proxy), but we don't offer gui support for it or provide the necessary parts in our pf ruleset.

I anyone wants to add support, the approach to make a plugin for it would be very similar to the ftp-proxy plugin already in our repository.

@kavi0208
Copy link
Author

kavi0208 commented Sep 8, 2017

Thanks for your reply.

@kavi0208 kavi0208 closed this as completed Sep 8, 2017
@myah-mitchell
Copy link

Are there any plans to add support for tftp-proxy to the OPNsense down the road? I was looking at starting to use this software, but tftp proxy is something I need since I use SIP phone and they get their firmware updates from a remote network over tftp.

@hudecof
Copy link

hudecof commented Mar 12, 2018

is there any way how to add custoom rules? I'm not able to gemerate the required ruleset

           rdr-anchor "tftp-proxy/*"

           anchor "tftp-proxy/*"

@fichtner
Copy link
Member

yes, can be done via plugins.inc.d e.g.: https://github.com/opnsense/plugins/blob/master/net/relayd/src/etc/inc/plugins.inc.d/relayd.inc#L40-L46

@hudecof
Copy link

hudecof commented Mar 12, 2018

@fichtner thanks, all I need is to place a file there or should be somehow registered ?

@fichtner
Copy link
Member

place a file tftp.inc there, add tftp_firewall() function with the anchors. it will be picked up automatically, requiring a single firewall reload.

@hudecof
Copy link

hudecof commented Mar 12, 2018
edited
Loading

great works

@hudecof
Copy link

hudecof commented Mar 12, 2018

if there will be time I will write regular plugin ;)

@myah-mitchell
Copy link

@hudecof would you mind posting the contents of the tftp.inc file you created? I'm not quite following what all was needed by fichtner's "add tftp_firewall() function with the anchors". Even if its not a plugin or gui option, a manually way to enable tftp would be great. Thanks!

@hudecof
Copy link

hudecof commented Mar 12, 2018 

root@fw01:/usr/local/etc # cat ./inc/plugins.inc.d/tftpproxy.inc
<?php

function tftpproxy_enabled()
{
    return true;
}

function tftpproxy_firewall($fw)
{
    if (!tftpproxy_enabled()) {
        return;
    }

    $fw->registerAnchor('tftp-proxy/*', 'nat');
    $fw->registerAnchor('tftp-proxy/*', 'rdr');
    $fw->registerAnchor('tftp-proxy/*', 'fw');
}

the rest is done by generic Portforward rules nad manual editing of the inetd.conf

root@fw01:/usr/local/etc # grep tftp /etc/inetd.conf | grep -v ^#
tftp	dgram	udp	wait	root	/usr/libexec/tftp-proxy	tftp-proxy -v

@hudecof
Copy link

hudecof commented Mar 12, 2018

I took the ftp-proxy filename and removed all stuff except the firewall rules.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@myah-mitchell @fichtner @hudecof @AdSchellevis @kavi0208