TFTP Client Issue
Posted: 2021/01/05 22:36:29
I have a working TFTP server that I use to backup a few dozen devices. I installed a fresh copy of CentOS Linux release 8.3.2011. When I try to TFTP from the fresh install to the known working TFTP server... it times out on the client but creates an empty file on the tftp server. If I stop the firewalld service on the fresh install... the transfer goes through and the contents of the file are correct. Again, I stopped the firewalld service on the fresh install... NOT the server... and it works. So, I restarted firewalld and did the following (rich rules are for NRPE monitoring)...
firewall-cmd --state
running
firewall-cmd --get-default-zone
public
firewall-cmd --zone=public --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: cockpit ssh syslog
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule family="ipv4" source address="10.102.10.125/32" port port="5666" protocol="tcp" accept
rule family="ipv4" source address="10.102.10.125/32" port port="5666" protocol="udp" accept
firewall-cmd --add-service=tftp-client --zone=public --permanent
firewall-cmd --complete-reload
firewall-cmd --zone=public --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: cockpit ssh syslog tftp-client
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule family="ipv4" source address="10.102.10.125/32" port port="5666" protocol="tcp" accept
rule family="ipv4" source address="10.102.10.125/32" port port="5666" protocol="udp" accept
I tried the tftp file transfer again and it times out after creating an empty file just like before.
Again, I stopped firewalld on the fresh install (systemctl stop firewalld) and attempt the transfer and it works!
I rebooted the fresh install (firewalld set to start automatically) and tried the tftp file transfer and it timed out after creating an empty file.
I enabled LogDenied=all in /etc/firewalld/firewalld.conf
I enabled FIREWALLD_ARGS=--debug=10 in /etc/sysconfig/firewalld
Then I rebooted the client again.
The transfer times out and, you guessed it, creates a blank file.
journalctl -a | grep 10.102.10.124 returns things like:
Jan 05 17:16:00 ns-mves01.rcps.local kernel: FINAL_REJECT: IN=eth0 OUT= MAC=00:15:5d:8c:28:03:60:73:5c:8c:f8:42:08:00 SRC=10.102.10.124 DST=10.106.10.10 LEN=32 TOS=0x00 PREC=0x00 TTL=62 ID=44238 PROTO=UDP SPT=47617 DPT=38878 LEN=12
Clearly I am missing something... it looks like the fresh install is not recognizing that the return traffic (guessing some kind of ack... maybe..) is related to the outbound request??? I don't know.
If I disable firewalld again on the fresh install of CentOS Linux release 8.3.2011... the tftp transfer works and the contents of the file on the tftp server are correct.
To me it seems to be something with CentOS 8, firewalld, and the tftp client software as my other servers, switches, etc... can all send files to the tftp server without issue. And, even the fresh install can if I disable its firewall.
Any help is appreciated.
CG
--
firewall-cmd --state
running
firewall-cmd --get-default-zone
public
firewall-cmd --zone=public --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: cockpit ssh syslog
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule family="ipv4" source address="10.102.10.125/32" port port="5666" protocol="tcp" accept
rule family="ipv4" source address="10.102.10.125/32" port port="5666" protocol="udp" accept
firewall-cmd --add-service=tftp-client --zone=public --permanent
firewall-cmd --complete-reload
firewall-cmd --zone=public --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: cockpit ssh syslog tftp-client
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule family="ipv4" source address="10.102.10.125/32" port port="5666" protocol="tcp" accept
rule family="ipv4" source address="10.102.10.125/32" port port="5666" protocol="udp" accept
I tried the tftp file transfer again and it times out after creating an empty file just like before.
Again, I stopped firewalld on the fresh install (systemctl stop firewalld) and attempt the transfer and it works!
I rebooted the fresh install (firewalld set to start automatically) and tried the tftp file transfer and it timed out after creating an empty file.
I enabled LogDenied=all in /etc/firewalld/firewalld.conf
I enabled FIREWALLD_ARGS=--debug=10 in /etc/sysconfig/firewalld
Then I rebooted the client again.
The transfer times out and, you guessed it, creates a blank file.
journalctl -a | grep 10.102.10.124 returns things like:
Jan 05 17:16:00 ns-mves01.rcps.local kernel: FINAL_REJECT: IN=eth0 OUT= MAC=00:15:5d:8c:28:03:60:73:5c:8c:f8:42:08:00 SRC=10.102.10.124 DST=10.106.10.10 LEN=32 TOS=0x00 PREC=0x00 TTL=62 ID=44238 PROTO=UDP SPT=47617 DPT=38878 LEN=12
Clearly I am missing something... it looks like the fresh install is not recognizing that the return traffic (guessing some kind of ack... maybe..) is related to the outbound request??? I don't know.
If I disable firewalld again on the fresh install of CentOS Linux release 8.3.2011... the tftp transfer works and the contents of the file on the tftp server are correct.
To me it seems to be something with CentOS 8, firewalld, and the tftp client software as my other servers, switches, etc... can all send files to the tftp server without issue. And, even the fresh install can if I disable its firewall.
Any help is appreciated.
CG
--