TFTP Connection Tracking Issue...

TFTP Connection Tracking Issue...

[Gautham Thavva]

I have enforced a firewall, using iptables-1.2.6a, on a Redhat 7.2 host (Kernel version is 2.4.7-10).

I have applied the *tftp* patch available in the patch-o-matic. The patch has not helped in tracking the TFTP session.

The TFTP client sends the Read request to the server. The server sends the Data block but there is no acknowledgement from the client.

After enabling the debug prints, I have noticed that: 1. the tuple for the connection is created
2. enters and exits out of *ip_conntrack_expect_related* function
3. through the netfilter hook, enters the *resolve_normal_ct* function. It however doesn't find the connection tracking tuple. It finds that the incoming packets are *related* packets and it accepts that packet.

However, the TFTP transfer times out.

----------------
Later I added a rule specifying the destination port of the tftp session and noticed that the *related* packets became *normal* packets for that connection.

The following is a snippet of the iptable rules for the TFTP protocol:

### TFTP ###
$IPTABLES -A allowed_udp -p UDP -m state --state RELATED -j ACCEPT
$IPTABLES -A udp_packets -p UDP -s 0/0 --sport 69 -j allowed_udp

Please can someone share their insight and assist me in resolving the TFTP connection tracking problem.

Thanks,
Gautham Thavva







____________________________________________________________
FREE ADHD DVD or CD-Rom (your choice) - click here!
http://ad.doubleclick.net/clk;6413623;3807821;f?http://mocda2.com/1/c/563632/131726/311392/311392
AOL users go here: http://ad.doubleclick.net/clk;6413623;3807821;f?http://mocda2.com/1/c/563632/131726/311392/311392
This offer applies to U.S. Residents Only

Re: TFTP Connection Tracking Issue...

[Jörg Schütter]

Hallo Gautham,

On Wed, 29 Oct 2003 17:14:11 -0400
"Gautham Thavva" <gautham.thavva@lycos.com> wrote:

> 
> I have enforced a firewall, using iptables-1.2.6a, on a Redhat 7.2
> host (Kernel version is 2.4.7-10).
> 
> I have applied the *tftp* patch available in the patch-o-matic. The
> patch has not helped in tracking the TFTP session.
> 
> The TFTP client sends the Read request to the server. The server sends
> the Data block but there is no acknowledgement from the client.
> 
> After enabling the debug prints, I have noticed that: 1. the tuple for
> the connection is created 2. enters and exits out of
> *ip_conntrack_expect_related* function 3. through the netfilter hook,
> enters the *resolve_normal_ct* function. It however doesn't find the
> connection tracking tuple. It finds that the incoming packets are
> *related* packets and it accepts that packet.
> 
> However, the TFTP transfer times out.
> 
> ----------------
> Later I added a rule specifying the destination port of the tftp
> session and noticed that the *related* packets became *normal* packets
> for that connection.
> 
> The following is a snippet of the iptable rules for the TFTP protocol:
> 
> ### TFTP ###
> $IPTABLES -A allowed_udp -p UDP -m state --state RELATED -j ACCEPT
> $IPTABLES -A udp_packets -p UDP -s 0/0 --sport 69 -j allowed_udp

If your server is 5.6.7.8 and the client is 1.2.3.4 the following lines
should be enough after loading the tftp_conntrack module.

$iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# Just allow tftp to the server, further packages of the
# tftp-session and tftp-data are permitted by the line above.
$iptables -A FORWARD -p UDP -s 1.2.3.4 -d 5.6.7.8 --dport 69 \
    -m state --state NEW -j ACCEPT


Gruß
  Jörg

-- 
Jörg Schütter           http://www.lug-untermain.de/
joerg@schuetter.org     http://www.schuetter.org/joerg/
ICQ: 298982789          http://mypenguin.bei.t-online.de/