On 11 October 2011 13:13, Frantisek Hanzlik <franta@xxxxxxxxxxx> wrote:
I have tried both localhost and from a remote machine.
Okay loaded conntrack_tftp
No its not working without iptables, tried this many times.
Nothing in messages
Thanks for the help, I am thinking of escalating this to the development group.
Aaron
Aaron Gray wrote:
> On 11 October 2011 00:05, Frantisek Hanzlik <franta@xxxxxxxxxxx <mailto:franta@xxxxxxxxxxx>>
> <mailto:franta@xxxxxxxxxxx> <mailto:franta@xxxxxxxxxxx <mailto:franta@xxxxxxxxxxx>>>> > <mailto:franta@xxxxxxxxxxx <mailto:franta@xxxxxxxxxxx>> <mailto:franta@xxxxxxxxxxx
> > wrote:
> >
> > Aaron Gray wrote:
> > > On 10 October 2011 22:20, Frantisek Hanzlik <franta@xxxxxxxxxxx
> <mailto:franta@xxxxxxxxxxx>
What You mean with "localhost TFTP test"? When You run iptables firewall,> <mailto:franta@xxxxxxxxxxx> <mailto:franta@xxxxxxxxxxx <mailto:franta@xxxxxxxxxxx>>>>
> > > wrote:
> > >
> > > Aaron Gray wrote:
> > > ...
> > > >
> > > > 4) if You use firewall (iptables), You should load nf_conntrack_tftp module,
> > > > for tracking ephemeral ports. That means /etc/sysconfig/iptables-config
> should
> > > > contain line as:
> > > > ...
> > > > IPTABLES_MODULES="nf_conntrack_tftp"
> > > > ...
> > > > (other module is for NATting tftp connection)
> > > >
> > > >
> > > > using localhost
> > >
> > > loopback (lo interface) is subject to firewall rules too. And Your tcpdump
> > > below show IP addresses 192.168.0.4 and 192.168.0.5 - they perhaps are not
> > > at lo loopback interface?
> > > Have You firewall active?
> > >
> > >
> > > I wrote a firewall rule :-
> > >
> > > -A INPUT -m state --state NEW -m udp -p udp --dport 69 -j ACCEPT
> >
> > Then You should have (best at beginning of filter table rules) rule:
> >
> > -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> >
> >
> > Okay.
> >
> >
> >
> > (and nf_conntrack_tftp module listed in "/etc/sysconfig/iptables-config",
> > as I wrote before). You must restart iptables after these changes.
>
> Is nf_conntrack_tftp module loaded? You should obtain similar output:
> # lsmod |grep tftp
> nf_conntrack_tftp 3325 0
> nf_conntrack 56162 4 nf_conntrack_tftp,nf_conntrack_ipv4,nf_conntrack_ipv6,xt_state
>
>
> No contrack_tftp running, but it is not needed with localhost TFTP test.
You must consider EVERY connection, even if it is from tftp client running
at same machine as tftp server (e.g. with command "tftp 127.0.0.1 -c get FILE").
And it seems as Your tftp client run from machine with IP=192.168.0.5
and server run at another with IP=192.168.0.4, right?
I have tried both localhost and from a remote machine.
> How do I load conntrack_tftp ?You had it above - right "Fedora way" is specify module in file
"/etc/sysconfig/iptables-config", as value of IPTABLES_MODULES variable:
IPTABLES_MODULES="nf_conntrack_tftp"
(and then restart Your firewall: "service iptables restart").
But, for symplifying things (which is advisable, You solve this simple
problem third day!), when it isn't security risk, You can stop firewall:
Okay loaded conntrack_tftp
service iptables stop
and run it again after verify tftp is OK without it.
No its not working without iptables, tried this many times.
> > > udp 0 0 0.0.0.0:69 <http://0.0.0.0:69> <http://0.0.0.0:69>
> > > > 5) /var/log/messages should contain entries as:
> > > > Oct 10 20:28:32 ns xinetd[1908]: START: tftp pid=5315 from=192.168.1.22
> > > > Oct 10 20:28:42 ns xinetd[1908]: EXIT: tftp status=0 pid=5315
> duration=10(sec)
> > > >
> > > >
> > > > Oct 10 21:09:07 gold xinetd[13402]: Exiting...
> > > > Oct 10 21:09:12 gold xinetd[13650]: xinetd Version 2.3.14 started with
> libwrap loadavg
> > > > labeled-networking options compiled in.
> > > > Oct 10 21:09:12 gold xinetd[13650]: Started working: 1 available service
> > >
> > > There isn't nothing about that xinetd starts tftp daemon. Mentioned
> > > "1 available service" is tftp?
> > > This command show only tftp:
> > >
> > > # grep '^[[:blank:]]*disable.*no' /etc/xinetd.d/*
> > > /etc/xinetd.d/tftp: disable = no
> > >
> > >
> > > I tested it and it is the only xinetd demon running
> > >
> > >
> > > Next command display some similar at Your server?:
> > > # netstat -a -n -p --ip|grep 69
> 0.0.0.0:* 1595/xinetdOkay, now when You connect with tftp client, You should see in /var/log/messages
>
> What netstat now displays? Is xinetd listening at udp 69 ??
>
> [root@XXXX ang]# netstat -a -n -p --ip|grep 69
> udp 0 0 0.0.0.0:69 0.0.0.0:* 1127/xinetd
entries from xinetd daemon about starting tftp daemon.
Nothing in messages
Thanks for the help, I am thinking of escalating this to the development group.
Aaron
-- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
