I'm in need of a little help (and probably a lot of sleep). I have been tweaking my PF due to a need for some added functionality. My last task was to add tftp-proxy so I can backup my Cisco DSL router to my TFTP server. I read the man page and inserted the necessary rules, but alas she's not working and I cannot quite see my error. My TFTP server lives inside the LAN on 192.168.1.5 and I had added the following rules. What am I missing here?
################ Translation ############################### # no rdr on lo0 from any to any nat-anchor "ftp-proxy/*" nat on egress from (self) to any tag EGRESS -> ($ext_if:0) nat on egress from $wire_if:network to any tag EGRESS -> ($ext_if:0) no nat on $ext_if to port tftp rdr-anchor "ftp-proxy/*" rdr-anchor "tftp-proxy/*" rdr on $ext_if proto udp from any to any port tftp -> 127.0.0.1 port 6969 # $ext_if inbound pass in on $ext_if inet proto icmp from any to $ext_if icmp-type 8 code 0 pass in quick on $ext_if inet proto tcp from <ftp-auth> to $ext_ip port 21 flags S/SA keep state pass in quick on $ext_if inet proto tcp from any to $ext_if port ssh flags S/SA synproxy state (max 10, source-track rule, max-src-conn 10, max-src-nodes 5, max-src-conn-rate 3/30, overload <ssh-bruteforce> flush global) pass in quick on $ext_if inet proto udp from <ftp-auth> to $ext_ip keep state # $wire_if outbound pass out log on $wire_if inet proto tcp from $wire_if to $wire_if:network flags S/SAFR modulate state pass out on $wire_if inet proto tcp to $ftp_server port 21 user proxy flags S/SA keep state pass out log on $wire_if inet proto udp from $wire_if to $wire_if:network keep state pass out on $wire_if inet proto udp to $ftp_server keep state pass out log on $wire_if inet proto icmp from $wire_if to $wire_if:network icmp-type 8 code 0 keep state anchor "ftp-proxy/*" anchor "tftp-proxy/*"
