Hi Kenneth, The rules vuurmuur creates normaly don't rewrite anything. As you state the client will use a random - non privileged - port to connect to the services thus your tftp "service in vuurmuur" should be defined as in my example. Your definition only allows connections initiated from port 69.
Cheers Milo On 25-5-2010 17:34, Kenneth Shaw wrote: > Hi Milo, > > Thanks for the input. However, have you been able to get this to work with a > PXE client? I have tftp working just fine, behind vuurmuur when I use the > atftp command line. My problem seems to come only from PXE based tftp clients. > > My guess is that Vuurmuur is doing some kind of source / destination port > rewriting, as if tftp uses random ports on the client. > > With or without the helper (ie, tftp) it doesn't work for PXE clients. If I > was trying to NAT tftp, then yes, I'm guessing that the tftp conntrack module > would be necessary, much as the ftp / irc modules would be necessary for > NAT'ing those protocols. > > -- > Kenneth Shaw > ExpiTrans, Inc. > 1401 Dove St, Suite 260 > Newport Beach, CA 92660 > tel: 949.650.4600 > fax: 949.642.6044 > [email protected] > > > ----- Original Message ----- > From: milo [mailto:[email protected]] > To: > [email protected] > Sent: Tue, 25 May 2010 03:54:51 > -0700 > Subject: Re: [Vuurmuur-users] Running TFTP server on Firewall > > > >> Hi Kenneth, >> >> I have that setup running here, so it is possible, with vuurmuur :) >> I'm using isc-dhcpd-V3.1.1 with tftpd in inetd mode >> >> Your vuurmuur rule >> >> RULE="Accept service tftp from local.lan to firewall" >> >> should be the only one you need, I'm guessing your firewall doesn't need >> to download anything using tftp? >> >> Your service definition seems a bit incorrect: >> - the services doesn't need a helper >> - tftp uses an unprivileged port from the client. >> >> Mine looks like this: >> >> ACTIVE="Yes" >> TCP="" >> UDP="69*1024:65535" >> ICMP="" >> GRE="" >> AH="" >> ESP="" >> PROTO_41="" >> BROADCAST="No" >> HELPER="" >> >> That should do the trick.... >> >> Cheers, >> Milo >> >> On 24-5-2010 19:37, Victor Julien wrote: >> >>> Hi Kenneth, I have no experience with tftp, but I think it should be >>> able to work. Are you seeing any drop lines in the vuurmuur traffic log? >>> >>> Cheers, >>> Victor >>> >>> Kenneth Shaw wrote: >>> >>> >>>> Hi, >>>> >>>> I've been attempting to run a TFTP server on the firewall for PXE >>>> >> booting. >> >>>> Long story short, I've tried every variation on defining a service for >>>> >> TFTP that I can think of, however I can not get PXE booting to work. I am >> able to use a tftp client at the command line on another host to copy files >> from the firewall, but actually doing it during a PXE boot causes timeout >> errors. I've used both atftpd and tftpd-hpa. With atftpd, in the syslog, I >> see that the tftp server is receiving some kind of data, however the client >> never receives the files. >> >>>> The following is the service definition I have used for vuurmuur: >>>> >>>> ACTIVE="yes" >>>> UDP="69*69" >>>> BROADCAST="no" >>>> COMMENT="Trivial File Transfer Protocol" >>>> PROTO_41="" >>>> GRE="" >>>> AH="" >>>> ESP="" >>>> ICMP="" >>>> HELPER="tftp" >>>> >>>> >>>> (I have used many variations of this, with and without the conntrack >>>> >> helper). >> >>>> Additionally, I have these rules (among others) defined: >>>> >>>> RULE="Accept service any from firewall to local.lan" >>>> RULE="Accept service tftp from local.lan to firewall" >>>> >>>> What am I doing wrong? I would really like to get my PXE boot environment >>>> >> up and running and self-contained on the firewall -- as it is, I am forced >> to run the tftp server on a separate system which is not ideal. Also if it >> matters (I do not know if it does or not), I am not launching tftp from >> inetd. Instead I am having atftpd run as a standalone daemon. >> >>>> Any help would be greatly appreciated! >>>> >>>> -- >>>> Kenneth Shaw >>>> ExpiTrans, Inc. >>>> 1401 Dove St, Suite 260 >>>> Newport Beach, CA 92660 >>>> tel: 949.650.4600 >>>> fax: 949.642.6044 >>>> [email protected] >>>> >>>> >>>> >> ------------------------------------------------------------------------------ >> >>>> _______________________________________________ >>>> Vuurmuur-users mailing list >>>> [email protected] >>>> https://lists.sourceforge.net/lists/listinfo/vuurmuur-users >>>> >>>> >>> >>> >> ------------------------------------------------------------------------------ >> >>> _______________________________________________ >>> Vuurmuur-users mailing list >>> [email protected] >>> https://lists.sourceforge.net/lists/listinfo/vuurmuur-users >>> >>> >> >> ------------------------------------------------------------------------------ >> >> _______________________________________________ >> Vuurmuur-users mailing list >> [email protected] >> https://lists.sourceforge.net/lists/listinfo/vuurmuur-users >> >> ------------------------------------------------------------------------------ _______________________________________________ Vuurmuur-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/vuurmuur-users
