<div class="gmail_quote">On 11 October 2011 00:05, Frantisek Hanzlik <span dir="ltr"><<a href="mailto:franta@hanzlici.cz">franta@hanzlici.cz</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
Aaron Gray wrote:<br>
> On 10 October 2011 23:31, Frantisek Hanzlik <<a href="mailto:franta@hanzlici.cz">franta@hanzlici.cz</a> <mailto:<a href="mailto:franta@hanzlici.cz">franta@hanzlici.cz</a>>><br>
<div class="im">> wrote:<br>
><br>
> Aaron Gray wrote:<br>
> > On 10 October 2011 22:20, Frantisek Hanzlik <<a href="mailto:franta@hanzlici.cz">franta@hanzlici.cz</a><br>
</div>> <mailto:<a href="mailto:franta@hanzlici.cz">franta@hanzlici.cz</a>> <mailto:<a href="mailto:franta@hanzlici.cz">franta@hanzlici.cz</a> <mailto:<a href="mailto:franta@hanzlici.cz">franta@hanzlici.cz</a>>>><br>
<div class="im">> > wrote:<br>
> ><br>
> > Aaron Gray wrote:<br>
> > ...<br>
> > ><br>
> > > 4) if You use firewall (iptables), You should load nf_conntrack_tftp module,<br>
> > > for tracking ephemeral ports. That means /etc/sysconfig/iptables-config should<br>
> > > contain line as:<br>
> > > ...<br>
> > > IPTABLES_MODULES="nf_conntrack_tftp"<br>
> > > ...<br>
> > > (other module is for NATting tftp connection)<br>
> > ><br>
> > ><br>
> > > using localhost<br>
> ><br>
> > loopback (lo interface) is subject to firewall rules too. And Your tcpdump<br>
> > below show IP addresses 192.168.0.4 and 192.168.0.5 - they perhaps are not<br>
> > at lo loopback interface?<br>
> > Have You firewall active?<br>
> ><br>
> ><br>
> > I wrote a firewall rule :-<br>
> ><br>
> > -A INPUT -m state --state NEW -m udp -p udp --dport 69 -j ACCEPT<br>
><br>
> Then You should have (best at beginning of filter table rules) rule:<br>
><br>
> -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT<br>
><br>
><br>
> Okay.<br>
><br>
><br>
><br>
> (and nf_conntrack_tftp module listed in "/etc/sysconfig/iptables-config",<br>
> as I wrote before). You must restart iptables after these changes.<br>
<br>
</div>Is nf_conntrack_tftp module loaded? You should obtain similar output:<br>
# lsmod |grep tftp<br>
nf_conntrack_tftp 3325 0<br>
nf_conntrack 56162 4 nf_conntrack_tftp,nf_conntrack_ipv4,nf_conntrack_ipv6,xt_state<br></blockquote><div><br>No contrack_tftp running, but it is not needed with localhost TFTP test.<br><br>How do I load conntrack_tftp ?<br>
</div><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
<div class="im"><br>
<br>
> > > 5) /var/log/messages should contain entries as:<br>
> > > Oct 10 20:28:32 ns xinetd[1908]: START: tftp pid=5315 from=192.168.1.22<br>
> > > Oct 10 20:28:42 ns xinetd[1908]: EXIT: tftp status=0 pid=5315 duration=10(sec)<br>
> > ><br>
> > ><br>
> > > Oct 10 21:09:07 gold xinetd[13402]: Exiting...<br>
> > > Oct 10 21:09:12 gold xinetd[13650]: xinetd Version 2.3.14 started with libwrap loadavg<br>
> > > labeled-networking options compiled in.<br>
> > > Oct 10 21:09:12 gold xinetd[13650]: Started working: 1 available service<br>
> ><br>
> > There isn't nothing about that xinetd starts tftp daemon. Mentioned<br>
> > "1 available service" is tftp?<br>
> > This command show only tftp:<br>
> ><br>
> > # grep '^[[:blank:]]*disable.*no' /etc/xinetd.d/*<br>
> > /etc/xinetd.d/tftp: disable = no<br>
> ><br>
> ><br>
> > I tested it and it is the only xinetd demon running<br>
> ><br>
> ><br>
> > Next command display some similar at Your server?:<br>
> > # netstat -a -n -p --ip|grep 69<br>
</div>> > udp 0 0 <a href="http://0.0.0.0:69" target="_blank">0.0.0.0:69</a> <<a href="http://0.0.0.0:69" target="_blank">http://0.0.0.0:69</a>> 0.0.0.0:* 1595/xinetd<br>
<br>
What netstat now displays? Is xinetd listening at udp 69 ??<br>
<div><br></div></blockquote><div>[root@XXXX ang]# netstat -a -n -p --ip|grep 69<br>udp 0 0 <a href="http://0.0.0.0:69">0.0.0.0:69</a> 0.0.0.0:* 1127/xinetd <br>
<br></div><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;"><div class="im">
<br>
> This command has probably no output at Your server, because...<br>
><br>
> >> Can You post Your "/etc/xinetd.d/tftp" file?<br>
> ><br>
> > Attached.<br>
><br>
> ... Your "/etc/xinetd.d/tftp" contains "disable = yes" line, thus<br>
><br>
><br>
> sorry, don't know how that happened ? Its late here !<br>
<br>
</div>Here too... :)<br>
Did You reload xinetd daemon after changes in "/etc/xinetd.d/tftp"?<br></blockquote><div><br>systemctl restart xinetd.service<br> <br></div><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
<div class="im"><br>
> It still does not work with "disable = no"<br>
><br>
> tftp service is disabled. You must change it to "disable = no" and<br>
> reload xinetd (using "service xinetd reload" or<br>
> "systemctl reload xinetd.service"). "/var/log/messages" tail<br>
> should indicate new service:<br>
><br>
> Oct 11 00:25:10 franta xinetd[1556]: Starting reconfiguration<br>
> Oct 11 00:25:10 franta xinetd[1556]: Swapping defaults<br>
> Oct 11 00:25:10 franta xinetd[1556]: Reconfigured: new=1 old=0 dropped=0 (services)<br>
><br>
> and above netstat command should display xinetd listening at<br>
> udp port 69<br>
><br>
><br>
> Thanks for bearing with me on this.<br>
><br>
> Just tried rsync and that works fine so its not xinetd.<br>
<br>
</div>I understand maybe only partialy, sorry for my extrabad english.<br>
What display "netstat -a -n -p|grep xinet" command?<br>
</blockquote></div><br>[root@XXXX ang]# netstat -a -n -p|grep xinet<br>tcp 0 0 :::873 :::* LISTEN 1127/xinetd <br>udp 0 0 <a href="http://0.0.0.0:69">0.0.0.0:69</a> 0.0.0.0:* 1127/xinetd <br>
unix 2 [ ] DGRAM 17415 1127/xinetd <br><br>Thanks,<br><br>Aaron<br><br>