Bug 1658481

Summary: Add TFTP service to Satellite firewall chapter
Product: Red Hat Satellite Reporter: Lukas Zapletal <lzap>
Component: DocumentationAssignee: Sergei Petrosian <spetrosi>
Status: CLOSED CURRENTRELEASE QA Contact: Melanie Corr <mcorr>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: UnspecifiedCC: lzap, roarora, spetrosi
Target Milestone: Unspecified   
Target Release: Unused   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-12-19 11:52:57 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Lukas Zapletal 2018-12-12 09:16:02 UTC 
Hey, please add the following to the Satellite 6 firewall ports guide as a note below the port tables:

~~~

While it is not recommended to use TFTP through NAT as the protocol is not very reliable, it is possible to do so. On all routers a TFTP tracking feature must be turned on and incoming port for TFTP (69 UDP) must be allowed. If a router is based on Red Hat Enterprise Linux 7, the following command allows the port and loads nf_conntrack_tftp kernel module (use --permanent to persist this after reboot):

  firewall-cmd --add-service=tftp

On Red Hat Enterprise Linux 6 or older add an iptables rule

  -A OUTPUT -i eth0 -p udp --sport 69 -m state --state ESTABLISHED -j ACCEPT

and load kernel connection racking modules via /etc/sysconfig/iptables-config:

  IPTABLES_MODULES="ip_conntrack_tftp"

~~~

Thanks!
Comment 1 Lukas Zapletal 2018-12-12 09:17:07 UTC 
Maybe just drop "While it is not recommended to use TFTP through NAT as the protocol is not very reliable, it is possible to do so." as this is very subjective opinion :-)
Comment 4 Lukas Zapletal 2018-12-13 14:47:49 UTC 
> On all routers, you must enable a TFTP tracking feature.

I'd probably elaborate this to: "On all routers, you must enable a TFTP UDP port number 69 and enable state tracking feature. This is different for each router/firewall vendor, in case Red Hat Enterprise Linux as a router of firewall do the following:"

This will hopefully make this more clear to the reader.

> 2. On all routers, load the ip_conntrack_tftp kernel connection 

This is only for RHEL6, in case of RHEL7 firewalld does this automatically. So put this under RHEL6 or older option, this is not needed for RHEL7 in fact it will not work as the configuration file will likely not exist. Maybe add a note in the RHEL7 case after the firewall-cmd command that this also loads kernel TFTP state tracking module automatically and user can check this via.

lsmod | grep ip_conntrack
Comment 16 Sergei Petrosian 2018-12-19 11:52:57 UTC 
These changes are now live on the customer portal:

Using TFTP Services through NAT in the Provisioning guide:
https://access.redhat.com/documentation/en-us/red_hat_satellite/6.4/html/provisioning_guide/configuring_networking#Configuring_Networking-Using_TFTP_Services_through_NAT

Reference to this section in the Installing guide:
https://access.redhat.com/documentation/en-us/red_hat_satellite/6.4/html/installing_satellite_server_from_a_connected_network/configuring_external_services#configuring_satellite_external_tftp

https://access.redhat.com/documentation/en-us/red_hat_satellite/6.4/html/installing_satellite_server_from_a_disconnected_network/configuring_external_services#configuring_satellite_external_tftp

Thank you