TFTP blocked

[tomas.morales]

Hi

I need TFTP for building servers and downloading software internally in our network. Although we have rules that allow UDP/TCP on port 69, the file transfer is blocked:


Aug 15 12:52:50 ny4fw07 filterlog: 175,16777216,,0,ixl2_vlan242,match,pass,in,4,0x0,,64,0,0,DF,17,udp,98,10.132.242.14,10.132.250.203,43011,69,78
Aug 15 12:52:50 ny4fw07 filterlog: 68,16777216,,0,ixl1_vlan250,match,pass,out,4,0x0,,63,0,0,DF,17,udp,98,10.132.242.14,10.132.250.203,43011,69,78
Aug 15 12:52:50 ny4fw07 filterlog: 278,16777216,,0,ixl1_vlan250,match,block,in,4,0x0,,64,64178,0,none,17,udp,68,10.132.250.203,10.132.242.14,48105,43011,48
Aug 15 12:52:57 ny4fw07 filterlog: 278,16777216,,0,ixl1_vlan250,match,block,in,4,0x0,,64,64179,0,none,17,udp,68,10.132.250.203,10.132.242.14,55791,43011,48


I haven't able to find any reference to TFTP in opnsense doc. In pfsense there is a reference that I need a TFTP proxy....

[fabian]

the problem is that the server answers the request from a different port (see https://tools.ietf.org/html/rfc1350) and the firewall usually will block that because from its point of view this is a new connection which is not allowed.

If your policy allows that, you can try to pass any UDP traffic from your TFTP server.

[tomas.morales]

Thanks for the advice. We actually did that as a workaround.

[echappatte]

On some client you can set a "firewall compatibility mode" that use only defined TFTP ports.