Red Hat Bugzilla – Bug 494417
tftp client times out in Fedora 10
Last modified: 2009-11-11 09:58:19 EST
Description of problem: the tftp client times out when retrieving a file using the tftp protocol and the firewall is enabled. Disabling the firewall solves the problem.
Version-Release number of selected component (if applicable):
tftp i386 0.48-6.fc10
use the tftp client with a default Fedora 10 installation (the firewall is then enabled), the client will timeout and no file will be transferred. If one disables the firewall then the transfer succeeds.
Steps to Reproduce:
1. open a tftp connexxion from a console with tftp
2. fill the name/ip address of tftp server when prompted (to)
3. get filename
tftp> get filename
Transfer timed out.
I expect the tftp client to work and get the files I request
Disabling the firewall solves the problem and the files can be retrieved.
I found from issue description that the problem is in the setting up the firewall. Please, try to adjust firewall and let me know the progress.
I had expected that someone at redhat/fedora at least had tested that there was a problem. From your answer I understand that you have not even taken the time to test it/reproduce it.
If I knew what for firewall settings I had to enable/tweak I would have already done it.
Anyway, I think it is kind of strange of somebody from redhat to ask me to try changing things without giving any clues as to what when I use the standard configuration as delivered from you guys.
A tftp client should just work (TM). I should not have to be testing stuff for copying a file from a tftp server. This is why I filed a bug against it and the whole point of this is to make a better redhat. Or so I thought, correct me if I am wrong.
I'm worry about little misunderstanding. Therefore I'd like explain a couple of things:
1. I'm a maintainer of tftp. The tftp doesn't work as you suppose due to firewall. I have nothing to do with the firewall. There is another maintainer for firewall issues (btw. I consulted the issue internally = I took care of it).
2. The tftp is not secure protocol and usage of this should be limited on LAN due to security.
3. I estimate (based on item #2) the default firewall configuration blocks tftp due to security. Who want to use it he should know what he is doing (load nf_conntrack_tftp) and he should do that manually.
loading the nf_conntrack_tftp module solves the problem indeed. Thanks for the tip.
I fail to see how using a tftp *client* could be seen as a security risk. If you are afraid of the tftp protocol, then you control access to the tftp *server* with firewall rules.
As a sysadmin I expect to trust connections that I initiate. A tftp client falls into this category. Having to load an extra kernel module just to be able to use a tftp client falls in the category *irritating and unnecessary stuff*. Do you know who I have to ask at redhat to get this fixed? This behaviour is not right and should be corrected in a future release.
Anyway, I am glad you gave me the golden clue to solve this 'special' problem. Thanks again.
The system-config-firewall could offer easier way to allow usage of tftp.
Created attachment 341450 [details]
Patch to add TFTP and TFTP-client to trusted services.
Fixed in GIT abf0513c2fac32eaebef4190dee092871069c26c
Will be part of next release.
system-config-firewall-1.2.16-3.fc10 has been submitted as an update for Fedora 10.
Please have a look at the testing package, tftp and tftp-client has been added to the services list. Just enable the service you want to use.
system-config-firewall-1.2.16-3.fc10 has been pushed to the Fedora 10 testing repository. If problems still persist, please make note of it in this bug report.
If you want to test the update, you can install it with
su -c 'yum --enablerepo=updates-testing update system-config-firewall'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F10/FEDORA-2009-5928
A small note, this also affects Fedora Core 11, system-config-firewall-1.2.16-2.fc11.noarch.
I installed the testing package for Fedora 11 and it works perfectly. Thanks for the patch!
system-config-firewall-1.2.16-3.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.