Hi Sami,
Well what I could understand from this was, u wanna block any tftp
connections, initiated from external internet, but wanna allow outgoing tftp
connection requests generated from inside ur private network. Right?
Well if that is the case, actually ur network tftp connection initiation
begins directly on some higher TID(not 69). 69 is used only as the
destination TID by the connection initiator. So u can safely go ahead and
block ur UDP port 69.
Sujeet
From: Sami Kerola <[EMAIL PROTECTED]>
To: "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]>
Subject: tftp
Date: Mon, 26 Jul 1999 14:03:58 +0300
MIME-Version: 1.0
>From [EMAIL PROTECTED] Mon Jul 26 12:58:14 1999
Received: (from majordom@localhost)by beasley.paix.gnac.net (8.8.8/8.8.8) id
KAA11295for firewalls-include; Mon, 26 Jul 1999 10:31:19 -0700 (PDT)
Received: from krusty.rtt.fi (mail.ohjelmistopankki.fi [193.184.39.15])by
beasley.paix.gnac.net (8.8.8/8.8.8) with SMTP id KAA08972for
<[EMAIL PROTECTED]>; Mon, 26 Jul 1999 10:01:26 -0700 (PDT)
Received: by krusty.rtt.fi with SMTP (Microsoft Exchange Server Internet
Mail Connector Version 4.0.995.52)id <[EMAIL PROTECTED]>; Mon,
26 Jul 1999 14:04:00 +0300
Message-ID:
<c=FI%a=_%p=LanGroup?[EMAIL PROTECTED]>
X-Mailer: Microsoft Exchange Server Internet Mail Connector Version
4.0.995.52
Sender: [EMAIL PROTECTED]
Precedence: bulk
Gentlemen,
I have linux ipchains firewall and network specialist
at same house. Problems is 1 what our specialist wants
2 how tftp works.
1. access to any router and switch or other device in
every possible network where ever. He said that tftp
is needed when software updates are done to such devises.
2. It is possible to block port and address in this
case I need to open tftp port (udp & tcp 69)
to every host. But something came as a surprise.
(taken from RFC 1350)
... TFTP does not specify any of the
values in the Internet header. On the other hand, the source and
destination port fields of the Datagram header (its format is given
in the appendix) are used by TFTP and the length field reflects the
size of the TFTP packet. The transfer identifiers (TID's) used by
TFTP are passed to the Datagram layer to be used as ports; therefore
they must be between 0 and 65,535. The initialization of TID's is
discussed in the section on initial connection protocol.
...
In order to create a connection, each end of the connection chooses a
TID for itself, to be used for the duration of that connection. The
TID's chosen for a connection should be randomly chosen, so that the
probability that the same number is chosen twice in immediate
succession is very low. Every packet has associated with it the two
TID's of the ends of the connection, the source TID and the
destination TID. These TID's are handed to the supporting UDP (or
other datagram protocol) as the source and destination ports. A
requesting host chooses its source TID as described above, and sends
its initial request to the known TID 69 decimal (105 octal) on the
serving host. The response to the request, under normal operation,
uses a TID chosen by the server as its source TID and the TID chosen
for the previous message by the requestor as its destination TID.
The two chosen TID's are then used for the remainder of the transfer.
(that's all needed)
Back to ipchains. With tcp connections this is not
problem. I only needed to allow port 69 with syn flag
and then with out syn flag the other ports. The big
problem is how I can block any udp trafic when I have
to allow all ports from anywhere to any where from
all ports.
Is there something I can do or do I have to purhase
real commercial firewall?
Yours,
Sami
===
(__) Sami Kerola
(oo) RTT Ohjelmistopankki Oy
/-------\/ Rantakatu 8 p +358 8 2104210
/ | || 92101 RAAHE m +358 50 3438138
* ||----|| FINLAND f +358 8 2104201
^^ ^^ http://www.ohjelmistopankki.fi/
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
______________________________________________________
Get Your Private, Free Email at http://www.hotmail.com
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
