LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

Reply
 
Search this Thread
Old 09-22-2009, 11:31 AM   #1
Spetnik
Member
 
Registered: Mar 2004
Posts: 40

Rep: Reputation: 15
tftp-server with client firewall


We use tftp to provision our IP Phones.

I have set up tftp-server on my RHEL5 box and all is fine.
However, I have one client who is having trouble. His phone is not able to pick up the configuration file. Every time he tries, I see this line five times in the log file:

Code:
Sep 22 16:03:34 servername in.tftpd[11565]: RRQ from his.ip.add.ress filename file.cfg
I had him try to download the file using a tftp client on his PC and he got a "time out" error with the same results in the log. I am assuming there is a firewall issue on his side that is causing this. This link seems to indicate that this can be the case with the WinAgents tftp server (I am not using WinAgents, I am just bringing this as an example - I am using the default tftp-server application that installed when I ran "yum install tftp-server"):
Quote:
The situation becomes more complicated if it is necessary to provide the clients’ access from the protected network to the external TFTP server. Requesting the file, the client sends TFTP RRQ packet from a random UDP port to UDP 69 port of the TFTP server. As far as the packet is being sent from more protected network to the less protected one, firewall sends it to TFTP server. Transmitting the file, firewall adds to the table of translation a record that corresponds to the connection on UDP protocol between the chosen client’s port and port 69 of TFTP server. According to RFC 1350, the server sends to the client (from a random port) DATA TFTP packet. However, firewall rejects this packet because it cannot find the existing connection between the chosen server port and the client’s port in the table of translation.

Devices, like Cisco PIX, can review the passing TFTP traffic and dynamically add to the table of translation records, allowing TFTP answers to pass from the external network to the enterprise network. To enable this mode in Cisco PIX firewall there is a command fixup protocol tftp.

Another way to solve the problem is to make TFTP server use port 69 not only to receive requests, but also to send the answers to the clients. In this case firewall will correctly transmit the answers to the client according to the record from the table of translation. You can enable this mode in WinAgents TFTP Server by option ‘Enable firewall support’ in the program settings window.
Is there such a workaround for the Linux tftp-server application?

Here is my "/etc/xinetd.d/tftp" file:
Code:
service tftp
{
        socket_type             = dgram
        protocol                = udp
        wait                    = yes
        user                    = root
        server                  = /usr/sbin/in.tftpd
        server_args             = -s /tftpboot -v -v -v -v
        disable                 = no
        per_source              = 11
        cps                     = 100 2
        flags                   = IPv4
}
 
Old 09-23-2009, 08:44 PM   #2
kbp
Senior Member
 
Registered: Aug 2009
Posts: 3,758

Rep: Reputation: 643Reputation: 643Reputation: 643Reputation: 643Reputation: 643Reputation: 643
Hi Spetnic,

According to the man page:

Code:
--port-range port:port, -R port:port
   Force  the  server port number (the Transaction ID) to be in the
   specified range of port numbers.
I did a bit of testing and I couldn't use '-R 69:69' but this seems to work:

Code:
me@xxxxxx ~# cat /etc/xinetd.d/tftp 
# default: off
# description: The tftp server serves files using the trivial file transfer \
#	protocol.  The tftp protocol is often used to boot diskless \
#	workstations, download configuration files to network-aware printers, \
#	and to start the installation process for some operating systems.
service tftp
{
	disable	= no
	socket_type		= dgram
	protocol		= udp
	wait			= yes
	user			= root
	server			= /usr/sbin/in.tftpd
	server_args		= -R 6969:6969 -s /var/lib/tftpboot
	per_source		= 11
	cps			= 100 2
	flags			= IPv4
}
... so maybe you can ask for an extra port to be opened in the firewall, not ideal but ...

HTH

kbp
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] Firewall server and how to force client to use it. Mogget Linux - Networking 3 03-02-2009 02:02 PM
in.tftpd: cannot get a Cisco client to tftp to my Slackware 12.0 server. Larus Linux - Server 1 05-21-2008 12:11 PM
tftp issue, unable to transfer kernel image using tftp to boot ltsp-client noobs4linux Linux - Networking 1 02-07-2007 01:53 AM
connect to my xdmcp server from a client behind a firewall zooper Linux - Networking 1 08-04-2006 03:40 PM
NET8 client-server connection through firewall agts Linux - Newbie 3 04-23-2004 08:42 AM


All times are GMT -5. The time now is 08:43 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration