On 10/16/2012 10:41 AM, Orion Poplawski wrote: > I'm trying to enable tftp traffic initiated from our dmz network to our > internal network. I have: > > TFTP(ACCEPT) dmz loc:10.10.10.1 > > in /etc/shorewall/rules, and: > > oadmodule nf_conntrack_tftp > > in /etc/shorewall/modules. > > The module is loaded and I do see some entries come and go, e.g.: > > udp 17 10 src=4.28.99.164 dst=10.10.10.1 sport=2071 dport=69 [UNREPLIED] > src=10.10.10.1 dst=4.28.99.164 sport=69 dport=2071 mark=0 > secctx=system_u:object_r:unlabeled_t:s0 use=2 > > But it appears that the replies from the client are still being blocked, e.g.: > > Oct 16 10:17:34 inferno kernel: [1841301.871809] > Shorewall:dmz2loc:REJECT:IN=em2 OUT=em1 > MAC=00:b0:d0:df:e3:1e:00:22:19:1d:0c:a4:08:00 SRC=4.28.99.164 DST=10.10.10.1 > LEN=32 TOS=0x00 PREC=0x00 TTL=19 ID=17 PROTO=UDP SPT=2072 DPT=35350 LEN=12 > > Any idea why the client replies are being blocked? > > Thanks, > > Orion >
Actually, I think I may have figured it out. The tftp server has two interfaces, one on the internal network and one of the dmz. I suspect the replies from the server were going out the dmz network interface and perhaps not triggering the conntrack module? Anyway, for now I'm just pointing the tftp client to the dmz interface although I do want to remove the dmz interface in the future. -- Orion Poplawski Technical Manager 303-415-9701 x222 NWRA, Boulder Office FAX: 303-415-9702 3380 Mitchell Lane [email protected] Boulder, CO 80301 http://www.nwra.com ------------------------------------------------------------------------------ Don't let slow site performance ruin your business. Deploy New Relic APM Deploy New Relic app performance management and know exactly what is happening inside your Ruby, Python, PHP, Java, and .NET app Try New Relic at no cost today and get our sweet Data Nerd shirt too! http://p.sf.net/sfu/newrelic-dev2dev _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
