TFP inside firewall

List overview All Threads
Download

newer

older

RE: [CentOS] School Server Setup

Newer GNOME than base release

lingu

9 Jun 2008 9 Jun '08

11:58 a.m.

Hi,

I have a setup where the tftp server is inside the firewall.

Now the issue is tftp client send request on dynamic udp port. Can anyone give some idea, how i can bind the fixed port for client udp requests ? Otherwise i hope, it is not a solution that i will open all port related to UDP in the firewall.

Regards, lingu

Attachments:

attachment.html (text/html — 362 bytes)

Show replies by date

John Newbigin

10 Jun 10 Jun

6:38 a.m.

I use tftp through a masquerading firewall. To set it up I edited (on the CentOS-4 firewall) /etc/sysconfig/iptables-config and set IPTABLES_MODULES="ip_nat_tftp ip_conntrack_tftp"

I think ip_conntrack_tftp is what you need.

John.

lingu wrote:

...

Hi,

I have a setup where the tftp server is inside the firewall.

Now the issue is tftp client send request on dynamic udp port. Can anyone give some idea, how i can bind the fixed port for client udp requests ? Otherwise i hope, it is not a solution that i will open all port related to UDP in the firewall.

Regards, lingu

CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos

-- John Newbigin ITS Senior Analyst / Programmer Faculty of Information and Communication Technologies Swinburne University of Technology Melbourne, Australia http://www.ict.swin.edu.au/staff/jnewbigin

lingu

8:15 a.m.

Hi ,

Thanx for your reply but my query is different already ip_conntrack_tftp is loaded in my centos . TFTP is working fine now ,but i want to toghten more security on iptables.Right now all of my udp port is opened, i dont want to do that .see my previous mail below

#################################################################### I have a setup where the tftp server is inside the firewall.

Regards, lingu

On Mon, Jun 9, 2008 at 5:28 PM, lingu hicheerup@gmail.com wrote:

...

Hi,

I have a setup where the tftp server is inside the firewall.

Now the issue is tftp client send request on dynamic udp port. Can anyone give some idea, how i can bind the fixed port for client udp requests ? Otherwise i hope, it is not a solution that i will open all port related to UDP in the firewall.

Regards, lingu

Filipe Brandenburger

11 Jun 11 Jun

1:30 a.m.

If conntrack can track the TFTP sessions, then you should be able to filter it using -m state in iptables.

iptables -A ... -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A ... -m state --state NEW -p udp --dport 69 -j ACCEPT

You can have one rule in INPUT and the other in OUTPUT, or both in FORWARD with different -i and -o interfaces.

If you give more details on your current topology, what's the access you want to allow, and what are your current rules, it might be easier to help you accomplish that exactly.

HTH, Filipe

6156

Age (days ago)

6158

Last active (days ago)

discuss@lists.centos.org

3 comments

3 participants

tags (0)

participants (3)

Filipe Brandenburger
John Newbigin
lingu