TFTP blocked

tomas.morales · August 15, 2016, 03:15:14 PM

Hi

I need TFTP for building servers and downloading software internally in our network. Although we have rules that allow UDP/TCP on port 69, the file transfer is blocked:

Aug 15 12:52:50 ny4fw07 filterlog: 175,16777216,,0,ixl2_vlan242,match,pass,in,4,0x0,,64,0,0,DF,17,udp,98,10.132.242.14,10.132.250.203,43011,69,78
Aug 15 12:52:50 ny4fw07 filterlog: 68,16777216,,0,ixl1_vlan250,match,pass,out,4,0x0,,63,0,0,DF,17,udp,98,10.132.242.14,10.132.250.203,43011,69,78
Aug 15 12:52:50 ny4fw07 filterlog: 278,16777216,,0,ixl1_vlan250,match,block,in,4,0x0,,64,64178,0,none,17,udp,68,10.132.250.203,10.132.242.14,48105,43011,48
Aug 15 12:52:57 ny4fw07 filterlog: 278,16777216,,0,ixl1_vlan250,match,block,in,4,0x0,,64,64179,0,none,17,udp,68,10.132.250.203,10.132.242.14,55791,43011,48

I haven't able to find any reference to TFTP in opnsense doc. In pfsense there is a reference that I need a TFTP proxy....

fabian · August 15, 2016, 06:28:43 PM

the problem is that the server answers the request from a different port (see https://tools.ietf.org/html/rfc1350) and the firewall usually will block that because from its point of view this is a new connection which is not allowed.

If your policy allows that, you can try to pass any UDP traffic from your TFTP server.

tomas.morales · August 17, 2016, 12:09:00 PM

Thanks for the advice. We actually did that as a workaround.

echappatte · August 17, 2016, 06:00:39 PM

On some client you can set a "firewall compatibility mode" that use only defined TFTP ports.

TFTP blocked

tomas.morales

August 15, 2016, 03:15:14 PM

fabian

August 15, 2016, 06:28:43 PM #1

tomas.morales

August 17, 2016, 12:09:00 PM #2

echappatte

August 17, 2016, 06:00:39 PM #3