Anyway onto the the problem. I see the tftp traffic pass in:
Apr 18 13:46:59.438588 rule 23/0(match): pass in on de3: 172.17.16.250.1034 > 192.168.42.20.69: 32 WRQ "wsg-conf-200504180" [|tftp]
Apr 18 13:46:59.438727 rule 25/0(match): pass out on xl0: 172.17.16.250.1034 > 192.168.42.20.69: 32 WRQ "wsg-conf-200504180" [|tftp]
I see the daemon start from inetd and accept the connection.
Then I get this:
Apr 18 13:46:59.445133 rule 0/0(match): block in on xl0: 192.168.42.20.34472 > 172.17.16.250.1034: udp 21 (DF)
Two questions:
1) is this "normal" tftp behaviour? I've not fooled around with it before. I would have expected a trivial file transfer protocol to reuse the existing sockets.
2) any suggestions on how to adapt the rules to deal with this? Obviously keep state is not enough, but I'm sure this has been solved before.
And yes I did search the archive. Well I tried to at any rate, when I type in "tftp" as a search term I get a blank page as a response. Completely blank, not just no results.
Thanks guys.
