tftp proxy, filtering by source and destination



  • hello

    is there any way to enable the tftp proxy while filtering source and destination addresses.

    ideally, i would like to allow tftp from the whole LAN ( all interfaces : i create those a lot ) to a specific machine. it would seem meanigful to me to enable the tftp proxy in a regular rule or possibly a nat rule

    unfortunately, using the tftp proxy existing feature enables tftp from all hosts to an interface to the world. the rule is an "rdr pass ..." and is located above all other rules including floatings.

    is there an existing way to do this ? or am i wishing for a new feature ?

    i already know how to allow tftp using stateless rules but that does not really fit my bill for various reasons : namely : said rules would allow a one-way udp communication from the tftp server to the lan. that would be acceptable, should the tftp server bind the ports on startup and allow to use ports <1024. unfortunately it cannot be instructed to do so.

    what makes it worse in my case is i use the firewalls tftp server over source ports <1024 to pull some hidden config files that i do not wish to be world readable.

    thanks for your time


Log in to reply