Page 1 of 1

TFTP Client Issue

Posted: 2021/01/05 22:36:29
by cgerow
I have a working TFTP server that I use to backup a few dozen devices. I installed a fresh copy of CentOS Linux release 8.3.2011. When I try to TFTP from the fresh install to the known working TFTP server... it times out on the client but creates an empty file on the tftp server. If I stop the firewalld service on the fresh install... the transfer goes through and the contents of the file are correct. Again, I stopped the firewalld service on the fresh install... NOT the server... and it works. So, I restarted firewalld and did the following (rich rules are for NRPE monitoring)...

firewall-cmd --state
running

firewall-cmd --get-default-zone
public

firewall-cmd --zone=public --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: cockpit ssh syslog
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule family="ipv4" source address="10.102.10.125/32" port port="5666" protocol="tcp" accept
rule family="ipv4" source address="10.102.10.125/32" port port="5666" protocol="udp" accept


firewall-cmd --add-service=tftp-client --zone=public --permanent

firewall-cmd --complete-reload

firewall-cmd --zone=public --list-all

public (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: cockpit ssh syslog tftp-client
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule family="ipv4" source address="10.102.10.125/32" port port="5666" protocol="tcp" accept
rule family="ipv4" source address="10.102.10.125/32" port port="5666" protocol="udp" accept

I tried the tftp file transfer again and it times out after creating an empty file just like before.

Again, I stopped firewalld on the fresh install (systemctl stop firewalld) and attempt the transfer and it works!

I rebooted the fresh install (firewalld set to start automatically) and tried the tftp file transfer and it timed out after creating an empty file.

I enabled LogDenied=all in /etc/firewalld/firewalld.conf
I enabled FIREWALLD_ARGS=--debug=10 in /etc/sysconfig/firewalld
Then I rebooted the client again.

The transfer times out and, you guessed it, creates a blank file.

journalctl -a | grep 10.102.10.124 returns things like:
Jan 05 17:16:00 ns-mves01.rcps.local kernel: FINAL_REJECT: IN=eth0 OUT= MAC=00:15:5d:8c:28:03:60:73:5c:8c:f8:42:08:00 SRC=10.102.10.124 DST=10.106.10.10 LEN=32 TOS=0x00 PREC=0x00 TTL=62 ID=44238 PROTO=UDP SPT=47617 DPT=38878 LEN=12

Clearly I am missing something... it looks like the fresh install is not recognizing that the return traffic (guessing some kind of ack... maybe..) is related to the outbound request??? I don't know.

If I disable firewalld again on the fresh install of CentOS Linux release 8.3.2011... the tftp transfer works and the contents of the file on the tftp server are correct.

To me it seems to be something with CentOS 8, firewalld, and the tftp client software as my other servers, switches, etc... can all send files to the tftp server without issue. And, even the fresh install can if I disable its firewall.

Any help is appreciated.

CG

--

Re: TFTP Client Issue

Posted: 2021/01/11 22:01:19
by cgerow
So... after even more research (I have lost track of how many hours I have spent trying to make firewalld work)... I found a blog (from 2016!) that suggested adding the following:

firewall-cmd --direct --permanent --add-rule ipv4 raw OUTPUT 0 -j CT -p udp -m udp --dport 69 --helper tftp

Command Source: https://beaveryoga.wordpress.com/2016/12/10/iptables-and-tftp-howto/

Then I ran the following commands:
firewall-cmd --complete-reload
firewall-cmd --zone=public --list-all
firewall-cmd --direct --get-all-rules

Tried the tftp transfer... and it works!

Just to make sure... I completely wiped and reinstalled CentOS 8. After adding the --direct rule, the tftp client is working as expected.