Shorewall users - May 2003 - tftp through shorewall

I''m trying to set up a diskless linux client and shorewall seems to be
blocking my tftp servers response to the client:

May 30 21:01:45 cs6625200-169 kernel: Shorewall:all2all:REJECT:IN= OUT=eth1
SRC=192.168.1.1 DST=192.168.1.15 LEN=544 TOS=0x00 PREC=0x00 TTL=64 ID=44500 DF
PROTO=UDP SPT=32890 DPT=2071 LEN=524 
May 31 02:01:45 cs6625200-169 in.tftpd[29190]: tftpd: write: Operation not
permitted

My /etc/shorewall/rules looks like this:

ACCEPT  net fw  tcp 22  -
ACCEPT  masq  fw  tcp 22  -
ACCEPT  loc fw  tcp 22  -
ACCEPT  masq  fw  tcp
domain,bootps,http,https,631,imap,pop3,smtp,nntp,ntp,netbios-n\s,netbios-dgm,netbios-ssn,tftp
 -
ACCEPT  masq  fw  udp
domain,bootps,http,https,631,imap,pop3,smtp,nntp,ntp,netbios-n\s,netbios-dgm,netbios-ssn,tftp
 -
ACCEPT  fw  masq  tcp 631,515,137,138,139,22,69 -
ACCEPT  fw  masq  udp 631,515,137,138,139,22,69 -





Here are the details about my setup:

$ sudo /sbin/shorewall version
1.3.14

This is using the Mandrake installation of Shorewall.

$ uname -a
Linux cs6625200-169.austin.rr.com 2.4.21-0.13mdk #1 Fri Mar 14 15:08:06 EST
2003 i686 unknown unknown GNU/Linux

$ ip addr show
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
    link/ether 00:e0:29:2b:9f:d2 brd ff:ff:ff:ff:ff:ff
    inet 66.25.200.169/22 brd 255.255.255.255 scope global eth0
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
    link/ether 00:50:ba:bf:c0:47 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.1/24 brd 192.168.1.255 scope global eth1

$ ip route show
192.168.1.0/24 dev eth1  scope link 
66.25.200.0/22 dev eth0  proto kernel  scope link  src 66.25.200.169 
127.0.0.0/8 dev lo  scope link 
default via 66.25.200.1 dev eth0 

$ lsmod
Module                  Size  Used by    Tainted: P  
nls_cp437               5148   0 (autoclean)
sg                     34636   0 (autoclean)
nls_cp850               4316   0 (autoclean)
msdos                   7404   0 (autoclean)
vfat                   11820   0 (autoclean)
fat                    37944   0 (autoclean) [msdos vfat]
isofs                  27988   0 (autoclean)
zlib_inflate           21156   0 (autoclean) [isofs]
nls_iso8859-1           3516   0 (autoclean)
udf                    90464   0 (autoclean)
tdfx                   35520   1
agpgart                40896   0 (autoclean) (unused)
floppy                 55132   0 (autoclean)
parport_pc             25096   1 (autoclean)
lp                      8096   0 (autoclean)
parport                34176   1 (autoclean) [parport_pc lp]
ipt_TOS                 1592  12 (autoclean)
ipt_MASQUERADE          2104   1 (autoclean)
ipt_LOG                 4280   5 (autoclean)
ipt_REJECT              3640   4 (autoclean)
ipt_state               1080  64 (autoclean)
iptable_mangle          2712   1 (autoclean)
ip_nat_irc              3280   0 (unused)
ip_nat_ftp              4016   0 (unused)
iptable_nat            21048   3 [ipt_MASQUERADE ip_nat_irc ip_nat_ftp]
ip_conntrack_irc        4304   1
ip_conntrack_ftp        5200   1
ip_conntrack           27264   4 [ipt_MASQUERADE ipt_state ip_nat_irc
ip_nat_ftp iptable_nat ip_conntrack_irc ip_conntrack_ftp]
iptable_filter          2348   1 (autoclean)
ip_tables              14648  10 [ipt_TOS ipt_MASQUERADE ipt_LOG ipt_REJECT
ipt_state iptable_mangle iptable_nat iptable_filter]
au8820                163776   3
soundcore               6276   0 [au8820]
nfsd                   74256   8 (autoclean)
af_packet              14952   2 (autoclean)
8139too                17160   2 (autoclean)
mii                     3832   0 (autoclean) [8139too]
supermount             15296   3 (autoclean)
sr_mod                 16920   0
ide-cd                 33856   0
cdrom                  31648   0 [sr_mod ide-cd]
ide-scsi               11280   0
sd_mod                 13100   0
scsimon                 9280   0 (unused)
usb-storage            72952   0
scsi_mod              103284   7 [sg sr_mod ide-scsi sd_mod scsimon usb-storage]
usb-uhci               24652   0 (unused)
usbcore                72992   1 [usb-storage usb-uhci]
rtc                     8060   0 (autoclean)
ext3                   59916   4
jbd                    38972   4 [ext3]



--
Jason Bodnar
jason@shakabuku.org
http://www.shakabuku.org

"You want free speech? Let''s see you acknowledge a man whose words
make
your blood boil who is standing center stage advocating at the top of
his lungs that which you would spend a lifetime opposing at the top of
yours." -- President Andrew Shephard, "The American President"

On Fri, 30 May 2003 20:40:52 -0600, Jason Bodnar <jason@shakabuku.org> 
wrote:
> I''m trying to set up a diskless linux client and shorewall seems
to be
> blocking my tftp servers response to the client:
>
Netfilter doesn''t support tftp without a kernel module that is only 
available in Patch-O-Matic at http://www.netfilter.org (unless it has been 
included in the 2.4.21-rc kernels -- I haven''t checked them).

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net

On Fri, 30 May 2003 19:45:20 -0700, Tom Eastep <teastep@shorewall.net> 
wrote:
> On Fri, 30 May 2003 20:40:52 -0600, Jason Bodnar
<jason@shakabuku.org>
> wrote:
>
>> I''m trying to set up a diskless linux client and shorewall
seems to be
>> blocking my tftp servers response to the client:
>>
>
> Netfilter doesn''t support tftp without a kernel module that is
only
> available in Patch-O-Matic at http://www.netfilter.org (unless it has 
> been included in the 2.4.21-rc kernels -- I haven''t checked them).
>
I''ve checked and this support *is* in 2.4.21-rc6.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net

On Fri, 30 May 2003 19:45:20 -0700, Tom Eastep wrote
> On Fri, 30 May 2003 20:40:52 -0600, Jason Bodnar 
> <jason@shakabuku.org> wrote:
> 
> > I''m trying to set up a diskless linux client and shorewall
seems to be
> > blocking my tftp servers response to the client:
> >
> 
> Netfilter doesn''t support tftp without a kernel module that is
only
> available in Patch-O-Matic at http://www.netfilter.org (unless it 
> has been included in the 2.4.21-rc kernels -- I haven''t checked
them).
Thanks. Patching my kernel fixed it, I think. No message from netfilter but no
luck tftping. Probably a tftp configuration error on my part.

--
Jason Bodnar
jason@shakabuku.org
http://www.shakabuku.org

"You want free speech? Let''s see you acknowledge a man whose words
make
your blood boil who is standing center stage advocating at the top of
his lungs that which you would spend a lifetime opposing at the top of
yours." -- President Andrew Shephard, "The American President"