Dave & Stephan Thank you. Dave you are right this is a known issue. pfsense & monowall not supporting the tftp traffic pass trough. I really do not understand why this feature is not available.
Tomato firmware support this feature. We cannot find a single firmware support all of the following feature. - MLPPP - VLAN -TFTP Server passtrough Now a days MLPPP really important . It will help to by pass the Bell Throttling Thank you. Aloysius Lloyd On Thu, Aug 20, 2009 at 3:22 PM, Dave Donovan <[email protected]>wrote: > > On Aug 20, 2009, at 1:27 PM, Aloysius Thevarajah Lloyd wrote: > >> > >> *My internal phone try to get the configuration file and firmware from a > >> external Public IP TFTP Server. I open the UDP port 69 on the WAN ....* > >> > >> Is there are any special configuration available to allow TFTP Requests. > > > >On Thu, Aug 20, 2009 at 2:02 PM, Stephan Monette <[email protected]> > wrote: > > > > You need to have the module for TFTP tracking installed, loaded and > enabled. Just like the FTP and PPTP tracking modules. > > Lloyd, > > It looks like it's a known issue with pfSense. I think this > bugtracker article describes your issue exactly: > http://cvstrac.pfsense.com/tktview?tn=1872 > > I'm not sure if, in your situation, you can fix the port behavior on > the server end as the article suggests or if you can VPN to the server > to avoid NAT all together. > > As Stephan suggests, it could probably be fixed by a proxy but I don't > see a proxy package available for pfSense. Here's an article by a guy > who fixed it on FreeBSD. The process should be similar of pfSense: > http://taosecurity.blogspot.com/2009/07/freebsd-pf-and-tftp-proxy.html > > From a security point of view, I believe that TFTP is regarded as an > insecure service and not something that should be exposed to the > Internet. Some phone config files, if left unencrypted, could expose > SIP userIDs and passwords. You're not new to networking and you > probably already thought of that but I thought I'd mention it just in > case somebody else on the list thought opening his TFTP server up to > the world might be a good idea. If you wanted to comment, I'd be > interested to know how you've chosen to address TFTP security. > > My only suggestion with pfSense would be to try the recent RC of > 1.2.3. based on BSD 7.1 which apparently addressed a long list of > issues that were present in the earlier 7.0. > > Best Regards, > Dave Donovan > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > >
