I’m trying to get the TFTP server running on a FRESH install of FreePBX 13. It doesn’t appear to be starting or be listening to UDP 69.
TFTP config file has disable = no (default after install). I added server_args -c -p as I think this are required to post files back up once running.
xinetd restart does not show anything other than stopping and starting.
The iptables didn’t have a specific entry so I added:
iptables -A INPUT -p udp --dport 69 -j ACCEPT
I did a iptables save, rebooted everything. I see the iptable rule still present after the restart.
I still don’t see a listening state when I do a netstat -lnu.
I also don’t see any message logs that the TFTP server is started.
What step am I missing to get the TFTP server running and operational? Do I need to add something to xinetd.conf?
xrobau
(Rob Thomas)
August 30, 2016, 10:58pm
2
This is what your /etc/xinetd.d/tftp file should look like:
service tftp
{
disable = no
socket_type = dgram
protocol = udp
wait = yes
user = root
server = /usr/sbin/in.tftpd
server_args = -s /tftpboot -v
per_source = 11
cps = 100 2
flags = IPv4
}
There shouldn’t be a need for any other configuration.
That is what it looks like other than the added arguments I put in.
Shouldn’t I see netstat indicating something is listening on 69?
dicko
(dicko)
August 30, 2016, 11:14pm
4
Go one level higher to see:-
lsof -i :69
As to server options , the -c is needed to “create” for polycoms etc. that seed their phone books, the -p is for changing permissions but be careful there !!, ultimately tftp is “trivial” with trivial protections, so make sure your firewall is secure and only passing “known” hosts to udp/69 and of course a complimentary egress rule from your server for replies.
I don’t understand your reference to Isof -i :69. Can you clarify?
Yes, Polycoms will be in the mix.
dicko
(dicko)
August 30, 2016, 11:20pm
6
from bash
man lsof
everything in linux is a “file” of one sort or another
Sorry, the response is:
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
xinetd 4992 root 5u IPv4 27933 0t0 UDP *:tftp
So it looks like 69 is being listened to. Is there anything here that stand out?
dicko
(dicko)
August 30, 2016, 11:28pm
8
No, now have your firewall properly allow inbound and outbound traffic on that port without any “port/address mangling” but only allow your “trusted hosts” ingress.
I guess this may be where I’m confused. I’ve made changes to the iptables. What else do I need to change?
My current IPTABLE looks like this
[root@localhost xinetd.d]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
fail2ban-apache-auth tcp – anywhere anywhere multiport dports http
fail2ban-SIP all – anywhere anywhere
fail2ban-BadBots tcp – anywhere anywhere multiport dports http,https
fail2ban-recidive all – anywhere anywhere
fail2ban-apache-auth tcp – anywhere anywhere multiport dports http
ACCEPT udp – anywhere anywhere udp dpt:tftp
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT udp – anywhere anywhere udp spt:tftp
Chain fail2ban-BadBots (1 references)
target prot opt source destination
RETURN all – anywhere anywhere
Chain fail2ban-SIP (1 references)
target prot opt source destination
Chain fail2ban-apache-auth (2 references)
target prot opt source destination
RETURN all – anywhere anywhere
RETURN all – anywhere anywhere
Chain fail2ban-recidive (1 references)
target prot opt source destination
RETURN all – anywhere anywhere
dicko
(dicko)
August 30, 2016, 11:35pm
10
Nothing apart from the security of your INPUT rules:-
ACCEPT udp – anywhere anywhere udp spt:tftp
(anywhere is a very very BAD thing )
Same rule in OUTPUT, So everything looks good in your local iptables, is your firewall/router also as permissive?
This is all on a local network for testing. Only a PC, a phone and the FreePBX box. All on the same subnet.
dicko
(dicko)
August 30, 2016, 11:38pm
12
from bash
tcpdump -vvnn port 69
is traffic bi-directional ?
then change server options to -vv and
tailf /var/log/messages |grep -i tftp
I enabled dump and initiated a get of the phonebook.xml file…looks like it is working now.
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
19:40:28.887706 IP (tos 0x0, ttl 128, id 1206, offset 0, flags [none], proto UDP (17), length 53)
192.168.1.100.64000 > 192.168.1.30.69: [udp sum ok] 25 RRQ “phonebook.xml” netascii
I can’t do writes but I think thats because I removed the -c argument.
1 Like
Yes, and a user with permission so -c and -u xxx got me going with write backs. The polycoms sure like write backs
dicko
(dicko)
August 31, 2016, 12:03am
16
Now fix your INPUT rules or risk leaking your family jewels