FreePBX 13 Free - TFTP Server

I’m trying to get the TFTP server running on a FRESH install of FreePBX 13. It doesn’t appear to be starting or be listening to UDP 69.

TFTP config file has disable = no (default after install). I added server_args -c -p as I think this are required to post files back up once running.

xinetd restart does not show anything other than stopping and starting.

The iptables didn’t have a specific entry so I added:
iptables -A INPUT -p udp --dport 69 -j ACCEPT

I did a iptables save, rebooted everything. I see the iptable rule still present after the restart.

I still don’t see a listening state when I do a netstat -lnu.

I also don’t see any message logs that the TFTP server is started.

What step am I missing to get the TFTP server running and operational? Do I need to add something to xinetd.conf?

This is what your /etc/xinetd.d/tftp file should look like:

service tftp
{
        disable = no
        socket_type             = dgram
        protocol                = udp
        wait                    = yes
        user                    = root
        server                  = /usr/sbin/in.tftpd
        server_args             = -s /tftpboot -v
        per_source              = 11
        cps                     = 100 2
        flags                   = IPv4
}

There shouldn’t be a need for any other configuration.

That is what it looks like other than the added arguments I put in.

Shouldn’t I see netstat indicating something is listening on 69?

Go one level higher to see:-

lsof -i :69

As to server options , the -c is needed to “create” for polycoms etc. that seed their phone books, the -p is for changing permissions but be careful there !!, ultimately tftp is “trivial” with trivial protections, so make sure your firewall is secure and only passing “known” hosts to udp/69 and of course a complimentary egress rule from your server for replies.

I don’t understand your reference to Isof -i :69. Can you clarify?

Yes, Polycoms will be in the mix.

from bash

man lsof

everything in linux is a “file” of one sort or another :slight_smile:

Sorry, the response is:
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
xinetd 4992 root 5u IPv4 27933 0t0 UDP *:tftp

So it looks like 69 is being listened to. Is there anything here that stand out?

No, now have your firewall properly allow inbound and outbound traffic on that port without any “port/address mangling” but only allow your “trusted hosts” ingress.

I guess this may be where I’m confused. I’ve made changes to the iptables. What else do I need to change?

My current IPTABLE looks like this
[root@localhost xinetd.d]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
fail2ban-apache-auth tcp – anywhere anywhere multiport dports http
fail2ban-SIP all – anywhere anywhere
fail2ban-BadBots tcp – anywhere anywhere multiport dports http,https
fail2ban-recidive all – anywhere anywhere
fail2ban-apache-auth tcp – anywhere anywhere multiport dports http
ACCEPT udp – anywhere anywhere udp dpt:tftp

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT udp – anywhere anywhere udp spt:tftp

Chain fail2ban-BadBots (1 references)
target prot opt source destination
RETURN all – anywhere anywhere

Chain fail2ban-SIP (1 references)
target prot opt source destination

Chain fail2ban-apache-auth (2 references)
target prot opt source destination
RETURN all – anywhere anywhere
RETURN all – anywhere anywhere

Chain fail2ban-recidive (1 references)
target prot opt source destination
RETURN all – anywhere anywhere

Nothing apart from the security of your INPUT rules:-

ACCEPT udp – anywhere anywhere udp spt:tftp

(anywhere is a very very BAD thing :slight_smile: )

Same rule in OUTPUT, So everything looks good in your local iptables, is your firewall/router also as permissive?

This is all on a local network for testing. Only a PC, a phone and the FreePBX box. All on the same subnet.

from bash

tcpdump -vvnn port 69

is traffic bi-directional ?

then change server options to -vv and

tailf /var/log/messages |grep -i tftp

I enabled dump and initiated a get of the phonebook.xml file…looks like it is working now.

tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
19:40:28.887706 IP (tos 0x0, ttl 128, id 1206, offset 0, flags [none], proto UDP (17), length 53)
192.168.1.100.64000 > 192.168.1.30.69: [udp sum ok] 25 RRQ “phonebook.xml” netascii

I can’t do writes but I think thats because I removed the -c argument.

1 Like

That -c would needed

Yes, and a user with permission so -c and -u xxx got me going with write backs. The polycoms sure like write backs :wink:

Now fix your INPUT rules or risk leaking your family jewels