Shorewall users - Oct 2012 - Trouble with tftp

I''m trying to enable tftp traffic initiated from our dmz network to our
internal network.  I have:

TFTP(ACCEPT)    dmz                     loc:10.10.10.1

in /etc/shorewall/rules, and:

oadmodule nf_conntrack_tftp

in /etc/shorewall/modules.

The module is loaded and I do see some entries come and go, e.g.:

udp      17 10 src=4.28.99.164 dst=10.10.10.1 sport=2071 dport=69 [UNREPLIED] 
src=10.10.10.1 dst=4.28.99.164 sport=69 dport=2071 mark=0 
secctx=system_u:object_r:unlabeled_t:s0 use=2

But it appears that the replies from the client are still being blocked, e.g.:

Oct 16 10:17:34 inferno kernel: [1841301.871809] 
Shorewall:dmz2loc:REJECT:IN=em2 OUT=em1 
MAC=00:b0:d0:df:e3:1e:00:22:19:1d:0c:a4:08:00 SRC=4.28.99.164 DST=10.10.10.1 
LEN=32 TOS=0x00 PREC=0x00 TTL=19 ID=17 PROTO=UDP SPT=2072 DPT=35350 LEN=12

Any idea why the client replies are being blocked?

Thanks,

   Orion

-- 
Orion Poplawski
Technical Manager                     303-415-9701 x222
NWRA, Boulder Office                  FAX: 303-415-9702
3380 Mitchell Lane                       orion@nwra.com
Boulder, CO 80301                   http://www.nwra.com

------------------------------------------------------------------------------
Don''t let slow site performance ruin your business. Deploy New Relic
APM
Deploy New Relic app performance management and know exactly
what is happening inside your Ruby, Python, PHP, Java, and .NET app
Try New Relic at no cost today and get our sweet Data Nerd shirt too!
http://p.sf.net/sfu/newrelic-dev2dev

On 10/16/2012 10:41 AM, Orion Poplawski wrote:
> I''m trying to enable tftp traffic initiated from our dmz network
to our
> internal network.  I have:
>
> TFTP(ACCEPT)    dmz                     loc:10.10.10.1
>
> in /etc/shorewall/rules, and:
>
> oadmodule nf_conntrack_tftp
>
> in /etc/shorewall/modules.
>
> The module is loaded and I do see some entries come and go, e.g.:
>
> udp      17 10 src=4.28.99.164 dst=10.10.10.1 sport=2071 dport=69
[UNREPLIED]
> src=10.10.10.1 dst=4.28.99.164 sport=69 dport=2071 mark=0
> secctx=system_u:object_r:unlabeled_t:s0 use=2
>
> But it appears that the replies from the client are still being blocked,
e.g.:
>
> Oct 16 10:17:34 inferno kernel: [1841301.871809]
> Shorewall:dmz2loc:REJECT:IN=em2 OUT=em1
> MAC=00:b0:d0:df:e3:1e:00:22:19:1d:0c:a4:08:00 SRC=4.28.99.164
DST=10.10.10.1
> LEN=32 TOS=0x00 PREC=0x00 TTL=19 ID=17 PROTO=UDP SPT=2072 DPT=35350 LEN=12
>
> Any idea why the client replies are being blocked?
>
> Thanks,
>
>     Orion
>
Actually, I think I may have figured it out.  The tftp server has two 
interfaces, one on the internal network and one of the dmz.  I suspect the 
replies from the server were going out the dmz network interface and perhaps 
not triggering the conntrack module?  Anyway, for now I''m just pointing
the
tftp client to the dmz interface although I do want to remove the dmz 
interface in the future.

-- 
Orion Poplawski
Technical Manager                     303-415-9701 x222
NWRA, Boulder Office                  FAX: 303-415-9702
3380 Mitchell Lane                       orion@nwra.com
Boulder, CO 80301                   http://www.nwra.com

------------------------------------------------------------------------------
Don''t let slow site performance ruin your business. Deploy New Relic
APM
Deploy New Relic app performance management and know exactly
what is happening inside your Ruby, Python, PHP, Java, and .NET app
Try New Relic at no cost today and get our sweet Data Nerd shirt too!
http://p.sf.net/sfu/newrelic-dev2dev