www.unix.org.ua

[rouven_heim]

Hi,

I need restricted access to another VLAN for TFTP traffic. So I´ve created an ACL like this:
permit udp 192.168.30.0 0.0.0.255 host 192.168.40.10 eq tftp
I add this ACL to the source interface (192.168.30.0) as INCOMING.

The tftp request to the tftp server is established and the tftp server answers with an random port to request for the file transfer.
Here´s the problem. Because of the random port the ACL blocks the file transfer.


Any Idea?
Grettings,
Rouven

[jorge_calvo]

Hello,

TFTP uses both UDP and TCP ports for the transfers so I would try with a permit for TFTP TCP port.


Hope this helps.

[rouven_heim]

Hello,

thanks for your reply. But using TCP doesn´t solve the problem. The tftp server responds with a random udp port and this random udp port is not allowed by the incoming acl of the source VLAN.


Greetings,
Rouven

[ganeshh_iyer]

Rouven,

TFTP typically uses UDP as its transport protocol, but it is not a requirement. Data transfer is initiated on port 69, but the data transfer ports are chosen independently by the send and receiver during initialization of the connection. The ports are chosen at random and must be in the range 0–65535.

Genrally what happens when you apply acl for only tftp on protocol udp

* From the original case, PC initiates a TFTP session from an arbitrary port at its side to server port 69 (conventional TFTP port for initiating TFTP session). Server then acknowledges from an arbitrary port PC at its side. The following exchanges occur between PC and Server. (Ports PC and Server are commonly named transfer identifiers as referred into RFC 1350 relative to TFTP specification.

* Thence the ACL entry defined as "permit udp 192.168.30.0 0.0.0.255 host 192.168.40.10 eq tftp" only allows the first exchange from PC to Server and back. Because of the varying values of PC and Server -- distinct from 69 (TFTP initial port) -- and of no matching criteria in the ACL, the TFTP data transfer is not permitted.


As part of solutions, I would think about providing one of the following implementations of ACL.

* Adding the ACL entry "permit udp host 192.168.30.0 0.0.0.255 host 192.168.40.10 gt 1024" (in addition with ACL "permit udp 192.168.30.0 0.0.0.255 host 192.168.40.10 eq tftp"): with the assumption that PC and Server are chosen greater than 1024, otherwise this value could be adapted. The main drawback of this solution is to allow whatever UDP datagram on port over 1024 which may be over what one wishes to permit.

* Adding the ACL entry "permit udp host 192.168.30.0 0.0.0.255 eq X host 192.168.40.10" (in addition with ACL "permit udp 192.168.30.0 0.0.0.255 host 192.168.40.10 eq tftp"): where X is a pre-defined integer (greater than 1024).


Hope to Help !!
Ganesh.H

[rouven_heim]

Hi Ganesh,

Windows 2003, on which the tftp server resides, use the range 1025 to 5000 as ephemeral ports. So I´ve decited to use the following acl:

permit udp 192.168.30.0 0.0.0.255 host 192.168.40.10 range 1025 5000
permit udp 192.168.30.0 0.0.0.255 host 192.168.40.10 eq tftp

This has the drawback you´ve already said. But actually I see no other way to solve the problem.

Thank you for your support!


Greetings,
Rouve

[ganeshh_iyer]

Hi Rouven,

As i said earlier also we need to permit the data transfer ports for tftp which is taken dynamically by both client and server,As per the traffic flow try the following acl and share the results

permit udp 192.168.30.0 0.0.0.255 host 192.168.40.10 eq tftp
permit udp 192.168.30.0 0.0.0.255 host 192.168.40.10 range 1025 5000


Hope to Help !!
Ganesh.H

[rouven_heim]

Hi,

the ACL works fine!


Thank you!
Greetings,
Rouven