NAME
tftp-proxy — 
Internet Trivial File
  Transfer Protocol proxy
SYNOPSIS
  
    
    
  
  
    | tftp-proxy | [-v]
      [-w
      transwait] | 
DESCRIPTION
tftp-proxy is a proxy for the Internet Trivial File Transfer
  Protocol invoked by the 
inetd(8)
  internet server. TFTP connections should be redirected to the proxy using the
  
pf(4) rdr
  command, after which the proxy connects to the server on behalf of the client.
The proxy establishes a 
pf(4)
  rdr rule using the 
anchor facility
  to rewrite packets between the client and the server. Once the rule is
  established, 
tftp-proxy forwards the initial request from
  the client to the server to begin the transfer. After
  
transwait seconds, the
  
pf(4) NAT state is assumed to have
  been established and the 
rdr rule is deleted and the
  program exits. Once the transfer between the client and the server is
  completed, the NAT state will naturally expire.
Assuming the TFTP command request is from $client to $server, the proxy
  connected to the server using the $proxy source address, and $port is
  negotiated, 
tftp-proxy adds the following rule to the
  anchor:
rdr proto udp from $server to $proxy port $port -> $client
 
The options are as follows:
  -  
-  
- -v
- Log the connection and request information to
      syslogd(8).
-  
-  
- -w
    transwait
- Number of seconds to wait for the data transmission to
      begin before removing the pf(4)
      rdr rule. The default is 2 seconds.
CONFIGURATION
To make use of the proxy,
  
pf.conf(5) needs the following
  rules. The anchors are mandatory. Adjust the rules as needed for your
  configuration.
In the NAT section:
nat on $ext_if from $int_if -> ($ext_if:0) 
 
no nat on $ext_if to port tftp 
 
rdr-anchor "tftp-proxy/*" 
rdr on $int_if proto udp from $lan to any port tftp -> \ 
    127.0.0.1 port 6969
 
In the filter section, an anchor must be added to hold the pass rules:
inetd(8) must be configured to
  spawn the proxy on the port that packets are being forwarded to by
  
pf(4). An example
  
inetd.conf(5) entry follows:
127.0.0.1:6969	dgram	udp	wait	root \ 
	/usr/libexec/tftp-proxy	tftp-proxy
 
SEE ALSO
tftp(1),
  
pf(4),
  
pf.conf(5),
  
ftp-proxy(8),
  
inetd(8),
  
syslogd(8),
  
tftpd(8)
CAVEATS
tftp-proxy chroots to 
/var/chroot/tftp-proxy
  and changes to user “_proxy” to drop privileges.