Bug 494417 - tftp client times out in Fedora 10
tftp client times out in Fedora 10
Product: Fedora
Classification: Fedora
Component: system-config-firewall (Show other bugs)
i686 Linux
low Severity medium
: ---
: ---
Assigned To: Thomas Woerner
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2009-04-06 15:36 EDT by Natxo Asenjo
Modified: 2009-11-11 09:58 EST (History)
4 users (show)

See Also:
Fixed In Version: 1.2.16-3.fc10
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2009-11-11 09:58:19 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Patch to add TFTP and TFTP-client to trusted services. (1.11 KB, patch)
2009-04-27 11:59 EDT, Thomas Woerner
no flags Details | Diff

  None (edit)
Description Natxo Asenjo 2009-04-06 15:36:23 EDT
Description of problem: the tftp client times out when retrieving a file using the tftp protocol and the firewall is enabled. Disabling the firewall solves the problem.

Version-Release number of selected component (if applicable):

tftp            i386            0.48-6.fc10 

How reproducible:

use the tftp client with a default Fedora 10 installation (the firewall is then enabled), the client will timeout and no file will be transferred. If one disables the firewall then the transfer succeeds.

Steps to Reproduce:
1. open a tftp connexxion from a console with tftp
2. fill the name/ip address of tftp server when prompted (to)
3. get filename 
Actual results:

tftp> get filename
Transfer timed out.

Expected results:

I expect the tftp client to work and get the files I request

Additional info:

Disabling the firewall solves the problem and the files can be retrieved.
Comment 1 Jiri Skala 2009-04-14 04:06:58 EDT
I found from issue description that the problem is in the setting up the firewall. Please, try to adjust firewall and let me know the progress.

Regards Jiri
Comment 2 Natxo Asenjo 2009-04-14 04:27:52 EDT

I had expected that someone at redhat/fedora at least had tested that there was a problem. From your answer I understand that you have not even taken the time to test it/reproduce it. 

If I knew what for firewall settings I had to enable/tweak I would have already done it.

Anyway, I think it is kind of strange of somebody from redhat to ask me to try changing things without giving any clues as to what when I use the standard configuration as delivered from you guys.

A tftp client should just work (TM). I should not have to be testing stuff for copying a file from a tftp server. This is why I filed a bug against it and the whole point of this is to make a better redhat. Or so I thought, correct me if I am wrong.

Comment 3 Jiri Skala 2009-04-14 11:04:26 EDT

I'm worry about little misunderstanding. Therefore I'd like explain a couple of things:

1. I'm a maintainer of tftp. The tftp doesn't work as you suppose due to firewall. I have nothing to do with the firewall. There is another maintainer for firewall issues (btw. I consulted the issue internally = I took care of it).

2. The tftp is not secure protocol and usage of this should be limited on LAN due to security.

3. I estimate (based on item #2) the default firewall configuration blocks tftp due to security. Who want to use it he should know what he is doing (load nf_conntrack_tftp) and he should do that manually.

Regards Jiri
Comment 4 Natxo Asenjo 2009-04-14 12:40:00 EDT

loading the nf_conntrack_tftp module solves the problem indeed. Thanks for the tip.

I fail to see how using a tftp *client* could be seen as a security risk. If you are afraid of the tftp protocol, then you control access to the tftp *server* with firewall rules.

As a sysadmin I expect to trust connections that I initiate. A tftp client falls into this category. Having to load an extra kernel module just to be able to use a tftp client falls in the category *irritating and unnecessary stuff*. Do you know who I have to ask at redhat to get this fixed? This behaviour is not right and should be corrected in a future release.

Anyway, I am glad you gave me the golden clue to solve this 'special' problem. Thanks again.


Comment 5 Jiri Skala 2009-04-27 08:34:21 EDT
The system-config-firewall could offer easier way to allow usage of tftp.
Comment 6 Thomas Woerner 2009-04-27 11:59:27 EDT
Created attachment 341450 [details]
Patch to add TFTP and TFTP-client to trusted services.
Comment 7 Thomas Woerner 2009-05-29 07:18:03 EDT
Fixed in GIT abf0513c2fac32eaebef4190dee092871069c26c

Will be part of next release.
Comment 8 Fedora Update System 2009-06-03 08:46:25 EDT
system-config-firewall-1.2.16-3.fc10 has been submitted as an update for Fedora 10.
Comment 9 Thomas Woerner 2009-06-03 08:48:16 EDT
Please have a look at the testing package, tftp and tftp-client has been added to the services list. Just enable the service you want to use.
Comment 10 Fedora Update System 2009-06-04 17:20:37 EDT
system-config-firewall-1.2.16-3.fc10 has been pushed to the Fedora 10 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update system-config-firewall'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F10/FEDORA-2009-5928
Comment 11 Magnus Glantz 2009-07-06 04:18:26 EDT
A small note, this also affects Fedora Core 11, system-config-firewall-1.2.16-2.fc11.noarch.
Comment 12 Natxo Asenjo 2009-07-08 16:52:54 EDT
I installed the testing package for Fedora 11 and it works perfectly. Thanks for the patch!
Comment 13 Fedora Update System 2009-11-11 09:57:56 EST
system-config-firewall-1.2.16-3.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.