Hi Milo, I don't really get why tftp isn't working for me. I have assumed it would be like any other service, many of which I have defined myself and gotten working without problem.
If I allow any service to the firewall from local.lan, it works just fine -- however this is not the ideal configuration, as I would like to block many services from being accessed by the local network. When I have done this, tftp works from the command line. It just doesn't work with PXE clients. I have even tried gPXE to see if it is outside of just the Intel PXE client that's built into to so many NICs. In reference to the earlier inquiry, from what I can see there is no log of dropped packets from vuurmuur. Also, from what I have seen, tftp seems to randomize the source and destination port, as part of the protocol spec. Would this have some kind of effect? -- Kenneth Shaw ExpiTrans, Inc. 1401 Dove St, Suite 260 Newport Beach, CA 92660 tel: 949.650.4600 fax: 949.642.6044 [email protected] ----- Original Message ----- From: milo [mailto:[email protected]] To: [email protected] Sent: Tue, 25 May 2010 23:41:28 -0700 Subject: Re: [Vuurmuur-users] Running TFTP server on Firewall > Hi Kenneth, > > The rules vuurmuur creates normaly don't rewrite anything. > As you state the client will use a random - non privileged - port to > connect to the services thus your tftp "service in vuurmuur" should be > defined as in my example. > Your definition only allows connections initiated from port 69. > > > Cheers > Milo > > > > On 25-5-2010 17:34, Kenneth Shaw wrote: > > Hi Milo, > > > > Thanks for the input. However, have you been able to get this to work with > a PXE client? I have tftp working just fine, behind vuurmuur when I use the > atftp command line. My problem seems to come only from PXE based tftp > clients. > > > > My guess is that Vuurmuur is doing some kind of source / destination port > rewriting, as if tftp uses random ports on the client. > > > > With or without the helper (ie, tftp) it doesn't work for PXE clients. If > I was trying to NAT tftp, then yes, I'm guessing that the tftp conntrack > module would be necessary, much as the ftp / irc modules would be necessary > for NAT'ing those protocols. > > > > -- > > Kenneth Shaw > > ExpiTrans, Inc. > > 1401 Dove St, Suite 260 > > Newport Beach, CA 92660 > > tel: 949.650.4600 > > fax: 949.642.6044 > > [email protected] > > > > > > ----- Original Message ----- > > From: milo [mailto:[email protected]] > > To: > > [email protected] > > Sent: Tue, 25 May 2010 03:54:51 > > -0700 > > Subject: Re: [Vuurmuur-users] Running TFTP server on Firewall > > > > > > > >> Hi Kenneth, > >> > >> I have that setup running here, so it is possible, with vuurmuur :) > >> I'm using isc-dhcpd-V3.1.1 with tftpd in inetd mode > >> > >> Your vuurmuur rule > >> > >> RULE="Accept service tftp from local.lan to firewall" > >> > >> should be the only one you need, I'm guessing your firewall doesn't need > >> to download anything using tftp? > >> > >> Your service definition seems a bit incorrect: > >> - the services doesn't need a helper > >> - tftp uses an unprivileged port from the client. > >> > >> Mine looks like this: > >> > >> ACTIVE="Yes" > >> TCP="" > >> UDP="69*1024:65535" > >> ICMP="" > >> GRE="" > >> AH="" > >> ESP="" > >> PROTO_41="" > >> BROADCAST="No" > >> HELPER="" > >> > >> That should do the trick.... > >> > >> Cheers, > >> Milo > >> > >> On 24-5-2010 19:37, Victor Julien wrote: > >> > >>> Hi Kenneth, I have no experience with tftp, but I think it should be > >>> able to work. Are you seeing any drop lines in the vuurmuur traffic log? > >>> > >>> Cheers, > >>> Victor > >>> > >>> Kenneth Shaw wrote: > >>> > >>> > >>>> Hi, > >>>> > >>>> I've been attempting to run a TFTP server on the firewall for PXE > >>>> > >> booting. > >> > >>>> Long story short, I've tried every variation on defining a service for > >>>> > >> TFTP that I can think of, however I can not get PXE booting to work. I am > >> able to use a tftp client at the command line on another host to copy > files > >> from the firewall, but actually doing it during a PXE boot causes timeout > >> errors. I've used both atftpd and tftpd-hpa. With atftpd, in the syslog, > I > >> see that the tftp server is receiving some kind of data, however the > client > >> never receives the files. > >> > >>>> The following is the service definition I have used for vuurmuur: > >>>> > >>>> ACTIVE="yes" > >>>> UDP="69*69" > >>>> BROADCAST="no" > >>>> COMMENT="Trivial File Transfer Protocol" > >>>> PROTO_41="" > >>>> GRE="" > >>>> AH="" > >>>> ESP="" > >>>> ICMP="" > >>>> HELPER="tftp" > >>>> > >>>> > >>>> (I have used many variations of this, with and without the conntrack > >>>> > >> helper). > >> > >>>> Additionally, I have these rules (among others) defined: > >>>> > >>>> RULE="Accept service any from firewall to local.lan" > >>>> RULE="Accept service tftp from local.lan to firewall" > >>>> > >>>> What am I doing wrong? I would really like to get my PXE boot > environment > >>>> > >> up and running and self-contained on the firewall -- as it is, I am > forced > >> to run the tftp server on a separate system which is not ideal. Also if > it > >> matters (I do not know if it does or not), I am not launching tftp from > >> inetd. Instead I am having atftpd run as a standalone daemon. > >> > >>>> Any help would be greatly appreciated! > >>>> > >>>> -- > >>>> Kenneth Shaw > >>>> ExpiTrans, Inc. > >>>> 1401 Dove St, Suite 260 > >>>> Newport Beach, CA 92660 > >>>> tel: 949.650.4600 > >>>> fax: 949.642.6044 > >>>> [email protected] > >>>> > >>>> > >>>> > >> > ------------------------------------------------------------------------------ > >> > >>>> _______________________________________________ > >>>> Vuurmuur-users mailing list > >>>> [email protected] > >>>> https://lists.sourceforge.net/lists/listinfo/vuurmuur-users > >>>> > >>>> > >>> > >>> > >> > ------------------------------------------------------------------------------ > >> > >>> _______________________________________________ > >>> Vuurmuur-users mailing list > >>> [email protected] > >>> https://lists.sourceforge.net/lists/listinfo/vuurmuur-users > >>> > >>> > >> > >> > ------------------------------------------------------------------------------ > >> > >> _______________________________________________ > >> Vuurmuur-users mailing list > >> [email protected] > >> https://lists.sourceforge.net/lists/listinfo/vuurmuur-users > >> > >> > > > ------------------------------------------------------------------------------ > > _______________________________________________ > Vuurmuur-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/vuurmuur-users > ------------------------------------------------------------------------------ _______________________________________________ Vuurmuur-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/vuurmuur-users
