On 11/16/2009 04:09 PM, Jim Freeman wrote:> At times our tftp servers are quite busy.
> Our network folk are rebuilding, and are anxious to tighten security.
>
> They hope to only allow tftp traffic on port 69, coming and going.
> This would bypass the RFC1350 client TID=ephemeral and server ACK
> TID=!69.
>
> Is there any chance tftpd-hpa would do this with "-R 69:69", or
would
> this require tftpd-hpa to threaded, with a hairier connection lookup?
> Can the syslinux client be constrained to send tftp from port 69?
>
> [ googling, R'ing TFM, and even glancing briefly at the code don't
> provide quick clarity ...]
>
-R 69:69 should work, but may induce failure modes you would otherwise
not see. The ephermeral TID is there for a reason; it provides some
assurance that the transfer you're looking for is the one you want.
The Syslinux client should by and large not be affected, as it avoids
port number reuse on the client end, however, not all TFTP clients do.
-hpa
--
H. Peter Anvin, Intel Open Source Technology Center
I work for Intel. I don't speak on their behalf.