Tftp package doesn't work but found a workaround

jimp

: sockstat | grep inetd
root     inetd      47253 4  stream /var/run/check_reload_status
root     inetd      47253 6  stream /var/run/check_reload_status
root     inetd      47253 12 dgram  (not connected)
root     inetd      47253 13 udp4   *:*                   *:*
root     inetd      47253 17 udp4   127.0.0.1:6969        *:*
root     inetd      47253 18 udp4   127.0.0.1:69          *:*

That last line is tftpd. You probably need to add a port forward on LAN for port udp/69 to direct it at 127.0.0.1:69, since inetd is only listening on localhost.

Damn sorry…. still does not work, even after creation of nat+passing rule.
May this be due to the fact that I have manual outbound nat ? (required for xbox live to work correctly)

Here are sockstat results, it seems that tftp daemon is listening

root     inetd      1883  4  stream /var/run/check_reload_status
root     inetd      1883  6  stream /var/run/check_reload_status
root     inetd      1883  12 dgram  (not connected)
root     inetd      1883  13 udp4   *:*                   *:*
root     inetd      1883  17 udp4   127.0.0.1:6969        *:*
root     inetd      1883  18 tcp4   127.0.0.1:19000       *:*
root     inetd      1883  19 udp4   127.0.0.1:19000       *:*
root     inetd      1883  20 tcp4   127.0.0.1:19001       *:*
root     inetd      1883  21 udp4   127.0.0.1:19001       *:*
root     inetd      1883  22 tcp4   127.0.0.1:19002       *:*
root     inetd      1883  23 udp4   127.0.0.1:19002       *:*
root     inetd      1883  24 tcp4   127.0.0.1:19003       *:*
root     inetd      1883  25 udp4   127.0.0.1:19003       *:*
root     inetd      1883  26 udp4   127.0.0.1:19004       *:*
root     inetd      1883  27 tcp4   127.0.0.1:19005       *:*
root     inetd      1883  28 udp4   127.0.0.1:69          *:*

jimp

manual outbound nat wouldn't affect it.

Show me exactly what your port forward rule on LAN looks like.

I just attached them.

1.png_thumb

2.png_thumb

jimp

Just do UDP, not tcp/udp.

Also make sure you do NOT have the TFTP proxy set to listen on LAN (System > Advanced, Firewall/NAT tab).

Next week some time I can add an interface selection to add the rules automatically, and warn if the proxy is on. They'd both be adding a rule redirecting port 69, so if one is active the other wouldn't work.

Ok, I extended to TCP/UDP to see but now I set it back to UDP only.
TFTP proxy is not listening on any interface.
Still not working… I'm getting crazy :) anyway, thanks for your support

jimp

It looks right otherwise… I have no trouble pulling a test file from my VM with a port forward that looks like that.

What do you get if you try this:

: grep 'port 69' /tmp/rules.debug

rdr pass on vr0 proto udp from any to 192.168.1.1 port 69 -> 127.0.0.1

When I do a

telnet 127.0.0.1 69

in SSH session, this should "work", isn't it ?

jimp

Instead of choosing "pass" for the firewall rule type, try just "none" since your LAN rule will pass it.

Telnet won't work for tftp, telnet is tcp, tftp is udp. Netcat might work, but the best test is an actual TFTP client.

jimp

$ nc -uz 192.168.x.y 69
Connection to 192.168.x.y 69 port [udp/tftp] succeeded!

Wow, I deserve my "newbie" title then :)

I set it to none but still not working.
As a client, I use a vm on a esx server a try to boot the pxe way

jimp

Upload a test file using the TFTP package GUI, and then try to retrieve it from something locally.

$ tftp 192.168.x.y
tftp> get help.png
Received 3157 bytes during 0.0 seconds in 7 blocks
tftp> quit


:nc -uz 127.0.0.1  69
Connection to 127.0.0.1 69 port [udp/tftp] succeeded!

:nc -uz 192.168.1.1 69
Connection to 192.168.1.1 69 port [udp/tftp] succeeded!

Well, it seems it works from the box itself… I don't get it ...

jimp

Do you have an actual tftp client you can try from another box/vm, instead of just trying a PXE boot? Also make sure the file name matches exactly what you're trying to download, case and all.

jimp

Also I noticed you had NAT reflection on, you might try to disable NAT reflection for that one rule using the override box on the rule editor.

OK I disabled the NAT reflection for this rule.
Here what I got from tftp :


Setting up tftp (0.17-16) ...
vm-swat:~# tftp 192.168.1.1
tftp> get BootMenu
Transfer timed out.

tftp>

jimp

and that VM can ping and otherwise talk to 192.168.1.1 without problems?

I disabled NAT reflection at sytem level and activated it for the only rule which need it. Cool new functionality.
Yes, I checked connectivity to be sure.
I also disabled snort (only other package installed) to be sure there was not any interference or side effect

actually if I do

nc -uz 192.168.1.1 (any port number)

it returns succeeded :)