LinuxQuestions.org - tftp-server with client firewall

We use tftp to provision our IP Phones.

I have set up tftp-server on my RHEL5 box and all is fine.
However, I have one client who is having trouble. His phone is not able to pick up the configuration file. Every time he tries, I see this line five times in the log file:

Code:

Sep 22 16:03:34 servername in.tftpd[11565]: RRQ from his.ip.add.ress filename file.cfg

I had him try to download the file using a tftp client on his PC and he got a "time out" error with the same results in the log. I am assuming there is a firewall issue on his side that is causing this. This link seems to indicate that this can be the case with the WinAgents tftp server (I am not using WinAgents, I am just bringing this as an example - I am using the default tftp-server application that installed when I ran "yum install tftp-server"):

Quote:

The situation becomes more complicated if it is necessary to provide the clients’ access from the protected network to the external TFTP server. Requesting the file, the client sends TFTP RRQ packet from a random UDP port to UDP 69 port of the TFTP server. As far as the packet is being sent from more protected network to the less protected one, firewall sends it to TFTP server. Transmitting the file, firewall adds to the table of translation a record that corresponds to the connection on UDP protocol between the chosen client’s port and port 69 of TFTP server. According to RFC 1350, the server sends to the client (from a random port) DATA TFTP packet. However, firewall rejects this packet because it cannot find the existing connection between the chosen server port and the client’s port in the table of translation.

Devices, like Cisco PIX, can review the passing TFTP traffic and dynamically add to the table of translation records, allowing TFTP answers to pass from the external network to the enterprise network. To enable this mode in Cisco PIX firewall there is a command fixup protocol tftp.

Another way to solve the problem is to make TFTP server use port 69 not only to receive requests, but also to send the answers to the clients. In this case firewall will correctly transmit the answers to the client according to the record from the table of translation. You can enable this mode in WinAgents TFTP Server by option ‘Enable firewall support’ in the program settings window.

Is there such a workaround for the Linux tftp-server application?

Here is my "/etc/xinetd.d/tftp" file:

Code:

service tftp

{

        socket_type            = dgram

        protocol                = udp

        wait                    = yes

        user                    = root

        server                  = /usr/sbin/in.tftpd

        server_args            = -s /tftpboot -v -v -v -v

        disable                = no

        per_source              = 11

        cps                    = 100 2

        flags                  = IPv4

}