CSB wrote:
I am trying to configure a tftp server and am having difficulty connecting
to it from a tftp client
vi /etc/xinetd.d/tftp
service tftp
{
socket_type = dgram
protocol = udp
wait = yes
user = root
server = /usr/sbin/in.tftpd
server_args = -s /tftpboot
disable = no
per_source = 11
cps = 100 2
flags = IPv4
log_type = FILE /var/log/tftp.log
}
>From client
tftp -v 203.89.001.001 -c get cfg000b82024216 Connected to 203.89.001.001
(203.89.001.001), port 69 getting from 203.89.001.001:cfg000b82024216 to
cfg000b82024216 [netascii] Transfer timed out.
The server is running open vpn and the client is connected to it. I can
successfully connect using tftp over openvpn so it's not a permissions
issue.
tftp -v 10.8.0.1 -c get cfg000b82024216
Connected to 10.8.0.1 (10.8.0.1), port 69 getting from
10.8.0.1:cfg000b82024216 to cfg000b82024216 [netascii] Received 890 bytes in
4.4 seconds [1611 bit/s]
If I add the bind directive then I still can't connect over the public ip
(and I can no longer connect over the vpn either):
bind = 203.89.001.001
If I stop the openvpn service I still cannot connect over the public ip
address.
If I flush the firewall rules I still cannot connect over the public ip
address.
Any help appreciated
Cameron
ifconfig
eth1 Link encap:Ethernet HWaddr 00:18:71:8C:32:FF
inet addr:203.89.001.001 Bcast:203.89.001.255 Mask:255.255.255.0
inet6 addr: fe88::208:88ff:fe8c:32ff/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:34918988 errors:0 dropped:0 overruns:0 frame:0
TX packets:34021478 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1462983820 (1.3 GiB) TX bytes:1275513509 (1.1 GiB)
Interrupt:193
eth1:1 Link encap:Ethernet HWaddr 00:18:71:8C:32:FF
inet addr:203.89.001.007 Bcast:203.89.001.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Interrupt:193
eth1:2 Link encap:Ethernet HWaddr 00:18:71:8C:32:FF
inet addr:203.89.001.008 Bcast:203.89.001.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Interrupt:193
eth1:3 Link encap:Ethernet HWaddr 00:18:71:8C:32:FF
inet addr:203.89.001.009 Bcast:203.89.001.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Interrupt:193
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:7470203 errors:0 dropped:0 overruns:0 frame:0
TX packets:7470203 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1010165066 (963.3 MiB) TX bytes:1010165066 (963.3 MiB)
tun0 Link encap:UNSPEC HWaddr
00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.8.0.1 P-t-P:10.8.0.2 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
All the documentation I read when learning to set up tftp stated that
it's an insecure protocol ill-suited to sharing stuff over public
networks. It's best left for its intended purpose, sharing firmware,
boot code and such over networks under one's own control.
One of the risks is that, with a default installation[1], anyone who can
read your data can change your data.
If you control both ends of the VPN then that would seem to meet that
guideline.
If you want to persist with sharing over the public internet, then look
at your firewall rules to see whether
1, There's a problem restricting your transfer
2. You have adequate controls over who can share your data.
For more general data sharing I recommend and use http.
[1] The Fedora/Red Hat installations are not default, they're secured
and configured to a special purpose, sharing boot code. Changing that
setup isn't hard, but one needs to understand the possible consequences.
--
