Hi Milo, Thanks for the input. However, have you been able to get this to work with a PXE client? I have tftp working just fine, behind vuurmuur when I use the atftp command line. My problem seems to come only from PXE based tftp clients.
My guess is that Vuurmuur is doing some kind of source / destination port rewriting, as if tftp uses random ports on the client. With or without the helper (ie, tftp) it doesn't work for PXE clients. If I was trying to NAT tftp, then yes, I'm guessing that the tftp conntrack module would be necessary, much as the ftp / irc modules would be necessary for NAT'ing those protocols. -- Kenneth Shaw ExpiTrans, Inc. 1401 Dove St, Suite 260 Newport Beach, CA 92660 tel: 949.650.4600 fax: 949.642.6044 [email protected] ----- Original Message ----- From: milo [mailto:[email protected]] To: [email protected] Sent: Tue, 25 May 2010 03:54:51 -0700 Subject: Re: [Vuurmuur-users] Running TFTP server on Firewall > Hi Kenneth, > > I have that setup running here, so it is possible, with vuurmuur :) > I'm using isc-dhcpd-V3.1.1 with tftpd in inetd mode > > Your vuurmuur rule > > RULE="Accept service tftp from local.lan to firewall" > > should be the only one you need, I'm guessing your firewall doesn't need > to download anything using tftp? > > Your service definition seems a bit incorrect: > - the services doesn't need a helper > - tftp uses an unprivileged port from the client. > > Mine looks like this: > > ACTIVE="Yes" > TCP="" > UDP="69*1024:65535" > ICMP="" > GRE="" > AH="" > ESP="" > PROTO_41="" > BROADCAST="No" > HELPER="" > > That should do the trick.... > > Cheers, > Milo > > On 24-5-2010 19:37, Victor Julien wrote: > > Hi Kenneth, I have no experience with tftp, but I think it should be > > able to work. Are you seeing any drop lines in the vuurmuur traffic log? > > > > Cheers, > > Victor > > > > Kenneth Shaw wrote: > > > >> Hi, > >> > >> I've been attempting to run a TFTP server on the firewall for PXE > booting. > >> > >> Long story short, I've tried every variation on defining a service for > TFTP that I can think of, however I can not get PXE booting to work. I am > able to use a tftp client at the command line on another host to copy files > from the firewall, but actually doing it during a PXE boot causes timeout > errors. I've used both atftpd and tftpd-hpa. With atftpd, in the syslog, I > see that the tftp server is receiving some kind of data, however the client > never receives the files. > >> > >> The following is the service definition I have used for vuurmuur: > >> > >> ACTIVE="yes" > >> UDP="69*69" > >> BROADCAST="no" > >> COMMENT="Trivial File Transfer Protocol" > >> PROTO_41="" > >> GRE="" > >> AH="" > >> ESP="" > >> ICMP="" > >> HELPER="tftp" > >> > >> > >> (I have used many variations of this, with and without the conntrack > helper). > >> > >> Additionally, I have these rules (among others) defined: > >> > >> RULE="Accept service any from firewall to local.lan" > >> RULE="Accept service tftp from local.lan to firewall" > >> > >> What am I doing wrong? I would really like to get my PXE boot environment > up and running and self-contained on the firewall -- as it is, I am forced > to run the tftp server on a separate system which is not ideal. Also if it > matters (I do not know if it does or not), I am not launching tftp from > inetd. Instead I am having atftpd run as a standalone daemon. > >> > >> Any help would be greatly appreciated! > >> > >> -- > >> Kenneth Shaw > >> ExpiTrans, Inc. > >> 1401 Dove St, Suite 260 > >> Newport Beach, CA 92660 > >> tel: 949.650.4600 > >> fax: 949.642.6044 > >> [email protected] > >> > >> > ------------------------------------------------------------------------------ > >> > >> _______________________________________________ > >> Vuurmuur-users mailing list > >> [email protected] > >> https://lists.sourceforge.net/lists/listinfo/vuurmuur-users > >> > > > > > ------------------------------------------------------------------------------ > > > > _______________________________________________ > > Vuurmuur-users mailing list > > [email protected] > > https://lists.sourceforge.net/lists/listinfo/vuurmuur-users > > > > > ------------------------------------------------------------------------------ > > _______________________________________________ > Vuurmuur-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/vuurmuur-users > ------------------------------------------------------------------------------ _______________________________________________ Vuurmuur-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/vuurmuur-users
