On Thu, Mar 29, 2018 at 12:48 PM, Asif Iqbal <vadud3 at gmail.com> wrote:> > > On Thu, Mar 29, 2018 at 7:21 AM, Steven Tardy <sjt5atra at gmail.com> wrote: > >> A STATEFUL firewall with ?ip any any? can and will still block asymmetric >> communications due to the firewall keeping track of state (hence tha name >> stateful firewall). >> >> Tcpdump on your servers /other/ NICs and you?ll see the tftp traffic >> leaving your server on some other NIC (probably on with the default >> route). >> > > A (192.168.1.10) > S (192.168.1.20) > > I do not see tftp traffic is leaving from S > > A:~$ tftp > (to) 192.168.1.20 > tftp> get file > Transfer timed out. > > As you can see no pkt is leaving. If it were leaving S, but A were not > receiving then I would think firewall > is dropping it. > > [ S ~]$ sudo tcpdump -A -nniany host 192.168.1.10 > tcpdump: verbose output suppressed, use -v or -vv for full protocol decode > listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 > bytes > > 16:40:08.390939 IP 192.168.1.10.35553 > 192.168.1.20.69: 16 RRQ "file" > netascii > E..,J1 at .>..n./...oAt...E..#...file.netascii................... > 16:40:13.391133 IP 192.168.1.10.35553 > 192.168.1.20.69: 16 RRQ "file" > netascii > E..,N. at .>..../...oAt...E..#...file.netascii................... > 16:40:18.391220 IP 192.168.1.10.35553 > 192.168.1.20.69: 16 RRQ "file" > netascii > E..,QK at .>..T./...oAt...E..#...file.netascii................... > 16:40:23.391373 IP 192.168.1.10.35553 > 192.168.1.20.69: 16 RRQ "file" > netascii > E..,T^@.>.. at ./...oAt...E..#...file.netascii................... > 16:40:28.391469 IP 192.168.1.10.35553 > 192.168.1.20.69: 16 RRQ "file" > netascii > E..,X. at .>..../...oAt...E..#...file.netascii................... > > >I still like some help on this> > >> >> The upstream firewall will then block the tftp response if it never saw >> the >> tftp request (due to asymmetry). >> _______________________________________________ >> CentOS mailing list >> CentOS at centos.org >> https://lists.centos.org/mailman/listinfo/centos >> > > > >-- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing?
have you checked that tftp is added to hosts.allow. syslog may be reporting libwrap errors, libwrap is trcpwrappers regards peter On 11 April 2018 16:57:04 "Asif Iqbal" <vadud3 at gmail.com> wrote:> On Thu, Mar 29, 2018 at 12:48 PM, Asif Iqbal <vadud3 at gmail.com> wrote: > > > > > > > On Thu, Mar 29, 2018 at 7:21 AM, Steven Tardy <sjt5atra at gmail.com> wrote: > > >> > A STATEFUL firewall with ?ip any any? can and will still block asymmetric >> > communications due to the firewall keeping track of state (hence tha name >> > stateful firewall). >> > >> > Tcpdump on your servers /other/ NICs and you?ll see the tftp traffic >> > leaving your server on some other NIC (probably on with the default >> > route). >> > > > > > A (192.168.1.10) > > S (192.168.1.20) > > > > I do not see tftp traffic is leaving from S > > > > A:~$ tftp > > (to) 192.168.1.20 > > tftp> get file > > Transfer timed out. > > > > As you can see no pkt is leaving. If it were leaving S, but A were not > > receiving then I would think firewall > > is dropping it. > > > > [ S ~]$ sudo tcpdump -A -nniany host 192.168.1.10 > > tcpdump: verbose output suppressed, use -v or -vv for full protocol decode > > listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 > > bytes > > > > 16:40:08.390939 IP 192.168.1.10.35553 > 192.168.1.20.69: 16 RRQ "file" > > netascii > > E..,J1 at .>..n./...oAt...E..#...file.netascii................... > > 16:40:13.391133 IP 192.168.1.10.35553 > 192.168.1.20.69: 16 RRQ "file" > > netascii > > E..,N. at .>..../...oAt...E..#...file.netascii................... > > 16:40:18.391220 IP 192.168.1.10.35553 > 192.168.1.20.69: 16 RRQ "file" > > netascii > > E..,QK at .>..T./...oAt...E..#...file.netascii................... > > 16:40:23.391373 IP 192.168.1.10.35553 > 192.168.1.20.69: 16 RRQ "file" > > netascii > > E..,T^@.>.. at ./...oAt...E..#...file.netascii................... > > 16:40:28.391469 IP 192.168.1.10.35553 > 192.168.1.20.69: 16 RRQ "file" > > netascii > > E..,X. at .>..../...oAt...E..#...file.netascii................... > > > > > > > I still like some help on this > > > > > > >> > >> > The upstream firewall will then block the tftp response if it never saw >> > the >> > tftp request (due to asymmetry). >> > _______________________________________________ >> > CentOS mailing list >> > CentOS at centos.org >> > https://lists.centos.org/mailman/listinfo/centos >> > > > > > > > > > > -- > Asif Iqbal > PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu > A: Because it messes up the order in which people normally read text. > Q: Why is top-posting such a bad thing? > _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centosSent with AquaMail for Android https://www.mobisystems.com/aqua-mail
On Thu, Apr 12, 2018 at 2:25 AM, peter.winterflood < peter.winterflood at ossi.co.uk> wrote:> > have you checked that tftp is added to hosts.allow. > syslog may be reporting libwrap errors, libwrap is trcpwrappers > regards peter > > >yes hosts.allow is wide open and I did test with tcpdmatch and it says granted> > On 11 April 2018 16:57:04 "Asif Iqbal" <vadud3 at gmail.com> wrote: > > On Thu, Mar 29, 2018 at 12:48 PM, Asif Iqbal <vadud3 at gmail.com> wrote: >> >> > >> > >> > On Thu, Mar 29, 2018 at 7:21 AM, Steven Tardy <sjt5atra at gmail.com> >> wrote: >> > >> >>> > A STATEFUL firewall with ?ip any any? can and will still block >>> asymmetric >>> > communications due to the firewall keeping track of state (hence tha >>> name >>> > stateful firewall). >>> > >>> > Tcpdump on your servers /other/ NICs and you?ll see the tftp traffic >>> > leaving your server on some other NIC (probably on with the default >>> > route). >>> > >>> >> > >> > A (192.168.1.10) >> > S (192.168.1.20) >> > >> > I do not see tftp traffic is leaving from S >> > >> > A:~$ tftp >> > (to) 192.168.1.20 >> > tftp> get file >> > Transfer timed out. >> > >> > As you can see no pkt is leaving. If it were leaving S, but A were not >> > receiving then I would think firewall >> > is dropping it. >> > >> > [ S ~]$ sudo tcpdump -A -nniany host 192.168.1.10 >> > tcpdump: verbose output suppressed, use -v or -vv for full protocol >> decode >> > listening on any, link-type LINUX_SLL (Linux cooked), capture size >> 262144 >> > bytes >> > >> > 16:40:08.390939 IP 192.168.1.10.35553 > 192.168.1.20.69: 16 RRQ "file" >> > netascii >> > E..,J1 at .>..n./...oAt...E..#...file.netascii................... >> > 16:40:13.391133 IP 192.168.1.10.35553 > 192.168.1.20.69: 16 RRQ "file" >> > netascii >> > E..,N. at .>..../...oAt...E..#...file.netascii................... >> > 16:40:18.391220 IP 192.168.1.10.35553 > 192.168.1.20.69: 16 RRQ "file" >> > netascii >> > E..,QK at .>..T./...oAt...E..#...file.netascii................... >> > 16:40:23.391373 IP 192.168.1.10.35553 > 192.168.1.20.69: 16 RRQ "file" >> > netascii >> > E..,T^@.>.. at ./...oAt...E..#...file.netascii................... >> > 16:40:28.391469 IP 192.168.1.10.35553 > 192.168.1.20.69: 16 RRQ "file" >> > netascii >> > E..,X. at .>..../...oAt...E..#...file.netascii................... >> > >> > >> > >> I still like some help on this >> >> >> > >> > >> >>> > >>> > The upstream firewall will then block the tftp response if it never saw >>> > the >>> > tftp request (due to asymmetry). >>> > _______________________________________________ >>> > CentOS mailing list >>> > CentOS at centos.org >>> > https://lists.centos.org/mailman/listinfo/centos >>> > >>> >> > >> > >> > >> > >> -- >> Asif Iqbal >> PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu >> A: Because it messes up the order in which people normally read text. >> Q: Why is top-posting such a bad thing? >> _______________________________________________ >> CentOS mailing list >> CentOS at centos.org >> https://lists.centos.org/mailman/listinfo/centos >> > > > Sent with AquaMail for Android > https://www.mobisystems.com/aqua-mail > > > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centos >-- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing?