Em um ambiente de produção, você gostaria de permitir especificamente o TFTP através do firewall. Isso pode ser feito executando system-config-firewall-tui , customizando o firewall e selecionando o serviço "TFTP".
Estou tentando executar tftpd de xinetd no CentOS 6; no entanto, só posso tftp de localhost.
Eu tenho um arquivo em /opt/tftpboot/fw.test.conf que eu posso recuperar se eu tftp to localhost:
[mpenning@localhost ~]$ tftp localhost
tftp> get fw.test.conf
tftp> quit
[mpenning@localhost ~]$ ls
fw.test.conf
[mpenning@localhost ~]$
No entanto, não posso receber este arquivo se eu tftp to eth1 neste servidor (o endereço em eth1 é 172.16.1.4).
[mpenning@localhost ~]$ sudo tshark -i eth1 udp and host 172.16.1.5
Running as user "root" and group "root". This could be dangerous.
Capturing on eth1
0.000000 172.16.1.5 -> 172.16.1.4 TFTP Read Request, File: fw.test.conf[root@localhost mpenning]# cat /etc/xinetd.d/tftp
# default: off
# description: The tftp server serves files using the trivial file transfer \
# protocol. The tftp protocol is often used to boot diskless \
# workstations, download configuration files to network-aware printers, \
# and to start the installation process for some operating systems.
service tftp
{
socket_type = dgram
protocol = udp
wait = yes
user = root
server = /usr/sbin/in.tftpd
server_args = -s /opt/tftpboot
disable = no
per_source = 11
cps = 100 2
flags = IPv4
}
[root@localhost mpenning]#
0, Transfer type: netascii[mpenning@localhost ~]$ tftp localhost
tftp> get fw.test.conf
tftp> quit
[mpenning@localhost ~]$ ls
fw.test.conf
[mpenning@localhost ~]$
0
5.000133 172.16.1.5 -> 172.16.1.4 TFTP Read Request, File: fw.test.conf[mpenning@localhost ~]$ sudo tshark -i eth1 udp and host 172.16.1.5
Running as user "root" and group "root". This could be dangerous.
Capturing on eth1
0.000000 172.16.1.5 -> 172.16.1.4 TFTP Read Request, File: fw.test.conf[root@localhost mpenning]# cat /etc/xinetd.d/tftp
# default: off
# description: The tftp server serves files using the trivial file transfer \
# protocol. The tftp protocol is often used to boot diskless \
# workstations, download configuration files to network-aware printers, \
# and to start the installation process for some operating systems.
service tftp
{
socket_type = dgram
protocol = udp
wait = yes
user = root
server = /usr/sbin/in.tftpd
server_args = -s /opt/tftpboot
disable = no
per_source = 11
cps = 100 2
flags = IPv4
}
[root@localhost mpenning]#
0, Transfer type: netascii%pre%0
5.000133 172.16.1.5 -> 172.16.1.4 TFTP Read Request, File: fw.test.conf%pre%0, Transfer type: netascii%pre%0
10.000184 172.16.1.5 -> 172.16.1.4 TFTP Read Request, File: fw.test.conf%pre%0, Transfer type: netascii%pre%0
15.000297 172.16.1.5 -> 172.16.1.4 TFTP Read Request, File: fw.test.conf%pre%0, Transfer type: netascii%pre%0
20.000331 172.16.1.5 -> 172.16.1.4 TFTP Read Request, File: fw.test.conf%pre%0, Transfer type: netascii%pre%0
^C5 packets captured
[mpenning@localhost ~]$
0, Transfer type: netascii%pre%0
10.000184 172.16.1.5 -> 172.16.1.4 TFTP Read Request, File: fw.test.conf%pre%0, Transfer type: netascii%pre%0
15.000297 172.16.1.5 -> 172.16.1.4 TFTP Read Request, File: fw.test.conf%pre%0, Transfer type: netascii%pre%0
20.000331 172.16.1.5 -> 172.16.1.4 TFTP Read Request, File: fw.test.conf%pre%0, Transfer type: netascii%pre%0
^C5 packets captured
[mpenning@localhost ~]$
Eu tenho a seguinte configuração xinetd:
%pre% O CentOS bloqueia solicitações tftp UDP de entrada com iptables em interfaces ethernet por padrão ... desabilitar o iptables service corrigiu o problema (essa é uma máquina de laboratório, portanto, desabilitar iptables está ok).
[root@localhost mpenning]# chkconfig iptables off
[root@localhost mpenning]# /etc/init.d/iptables stop
[root@localhost mpenning]#