OPNsense Forum

Archive => 16.7 Legacy Series => Topic started by: tomas.morales on August 15, 2016, 03:15:14 pm

Title: TFTP blocked
Post by: tomas.morales on August 15, 2016, 03:15:14 pm

Hi

I need TFTP for building servers and downloading software internally in our network. Although we have rules that allow UDP/TCP on port 69, the file transfer is blocked:


Aug 15 12:52:50 ny4fw07 filterlog: 175,16777216,,0,ixl2_vlan242,match,pass,in,4,0x0,,64,0,0,DF,17,udp,98,10.132.242.14,10.132.250.203,43011,69,78
Aug 15 12:52:50 ny4fw07 filterlog: 68,16777216,,0,ixl1_vlan250,match,pass,out,4,0x0,,63,0,0,DF,17,udp,98,10.132.242.14,10.132.250.203,43011,69,78
Aug 15 12:52:50 ny4fw07 filterlog: 278,16777216,,0,ixl1_vlan250,match,block,in,4,0x0,,64,64178,0,none,17,udp,68,10.132.250.203,10.132.242.14,48105,43011,48
Aug 15 12:52:57 ny4fw07 filterlog: 278,16777216,,0,ixl1_vlan250,match,block,in,4,0x0,,64,64179,0,none,17,udp,68,10.132.250.203,10.132.242.14,55791,43011,48


I haven't able to find any reference to TFTP in opnsense doc. In pfsense there is a reference that I need a TFTP proxy....

Title: Re: TFTP blocked
Post by: fabian on August 15, 2016, 06:28:43 pm

the problem is that the server answers the request from a different port (see https://tools.ietf.org/html/rfc1350 (https://tools.ietf.org/html/rfc1350)) and the firewall usually will block that because from its point of view this is a new connection which is not allowed.

If your policy allows that, you can try to pass any UDP traffic from your TFTP server.

Title: Re: TFTP blocked
Post by: tomas.morales on August 17, 2016, 12:09:00 pm

Thanks for the advice. We actually did that as a workaround.

Title: Re: TFTP blocked
Post by: echappatte on August 17, 2016, 06:00:39 pm

On some client you can set a "firewall compatibility mode" that use only defined TFTP ports.