1 2 Previous Next 16 Replies Latest reply on Apr 24, 2015 2:57 PM by Bill Robinson

    bsa tftp server portrange

    Raja Mohan

      hi,

       

      I am trying to figure out how to allow tftp over firewall. Is port-range an accepted keyword for the tftp.conf/tftpd server used with BSA?

      can i use port-range to limit using ephemeral ports?

      port-range=69:69

       

      can i even further restrict it by using this line (presuming the network is on 192.168.10.x) ?

      192.168.10.1-192.168.10.250.port-range=69-69

        • 1. Re: bsa tftp server portrange
          Bill Robinson

          i believe tftp listens on 69/udp, so that would need to be allowed in your firewall(s) between the target and bsa pxe/tftp server (w/ the target initiating the connection).  i'm not sure why you are trying to limit ephermeral ports.  most firewalls are stateful now, so if 69/udp is allowed, the responses will be allowed back as part of the rule.

          • 2. Re: bsa tftp server portrange
            Raja Mohan

            I get time out

             

             

            [02 Apr 2015 17:20:14,459] [Thread-0] [INFO] Received read request from /xx.xx.xx.220

            [02 Apr 2015 17:20:14,459] [Thread-0] [INFO] Requested filename: X86PC/pxelinux/pxelinux.0

            [02 Apr 2015 17:20:14,459] [Thread-115526] [INFO] Sending file : /opt/bsa/bladelogic/NSH/tftproot/X86PC/pxelinux/pxelinux.0

            [02 Apr 2015 17:21:12,428] [Thread-115524] [ERROR] Receive timed out

            [02 Apr 2015 17:21:14,458] [Thread-115525] [ERROR] Receive timed out

             

            and also on the pxe client I receive

             

            PXE-E35: TFTP Read timeout and PXE-E39 TFTP cannot read from connection

             

            • 3. Re: bsa tftp server portrange
              Raja Mohan

              Bill Robinson I ran a tcpdump and notice traffic on these ports

               

              17:10:46.279509 IP xxx.xxx.xxx.220.ah-esp-encap > xxxx.com.tftp:  42 RRQ "X86PC/pxelinux/pxelinux.0" octet tsize 0

              17:10:46.283456 IP xxxx.com.39623 > xxx.xxx.xxx.220.ah-esp-encap: UDP, length 14

              17:10:48.304481 IP xxx.xxx.xxx.220.acp-port > xxxx.com.tftp:  42 RRQ "X86PC/pxelinux/pxelinux.0" octet tsize 0

              17:10:48.305514 IP xxxx.com.39624 > xxx.xxx.xxx.220.acp-port: UDP, length 14

              17:10:48.305921 IP xxx.xxx.xxx.220.msync > xxxx.com.tftp:  47 RRQ "X86PC/pxelinux/pxelinux.0" octet blksize 1456

              17:10:48.308924 IP xxxx.com.39625 > xxx.xxx.xxx.220.msync: UDP, length 516

               

              I don't see the port 2070 and 2071 documented on automation ports

              BMC Server Automation ports - BMC Server Automation 8.3 - BMC Documentation

               

              do I need to make ACL changes to allow communication to those ports? I had previously requested them to allow all incoming traffic from the pxe client ports documented in that page.

               

              on a secondary note, I set port range per client basis and doesn't seem to have any effect.

               

              xxx.xxx.xxx.220.port-range=69:69

              • 4. Re: bsa tftp server portrange
                Bill Robinson

                i don't see ports 2070 and 2071 listed so where are you seeing those ?

                 

                this is very simple - the pxe targets need to talk to the tftp server on 69/udp.  is there some issue preventing you from provisioning w/ that port open ?

                 

                it's unclear what 'port-range' means - is that tdp?  udp?  and from what source to what dest ?

                • 5. Re: bsa tftp server portrange
                  Bill Robinson

                  Ok, so it seems to be getting the tftp request…  so it’s getting through at least.

                   

                  What is the network path from the pxe target and the pxe/tftp server ?

                  • 6. Re: bsa tftp server portrange
                    Raja Mohan

                    It is on different VLAN on the same switch with restrictions implemented using ACL's

                    • 7. Re: bsa tftp server portrange
                      Bill Robinson

                      Ok, i have no idea what your specific switch needs to have done.  you need to make sure that the pxe targets can make a tftp request to the tftp server and pull the various files down.  that doesn’t seem to be happening so you should talk to your network team about it.

                      • 8. Re: bsa tftp server portrange
                        Mike Jones

                        This works for us - (along with the BMI callback & PXE server to DB)

                         

                        Source

                        Destination

                        Port/Protocol

                        Purpose

                        Managed server VLANS

                        BSAbuildservers

                        BSAbuildservers

                        Managed server VLANS

                        67/UDP

                        68/UDP

                        69/UDP

                        4011/UDP

                        DHCP & PXE

                        Managed server VLANS

                        BSAbuildservers

                        BSAbuildservers

                        Managed server VLANS

                        2071-

                        2080/UDP

                        TFTP

                        Managed server VLANS

                        BSAbuildservers

                        135-

                        139/TCP

                        445/TCP

                        Windows provisioning, read files from thedatastore

                        Managed server VLANS

                        BSAbuildservers

                        80/TCP

                        Linux provisioning, read files from the datastore

                        • 9. Re: bsa tftp server portrange
                          Bill Robinson

                          Why do you need 2071-2080/udp open ?  tftp should operate on 69/udp.

                          • 10. Re: bsa tftp server portrange
                            Raja Mohan

                            Bill Robinson as per RFC1350 only the original RRQ happens on the port 69. When the tftp server replies back, it respond back to the TID (which the client port from prior RRQ) using an ephemeral port. From then on all communication between the server (ephemeral) and client (in my case it has been 2070/2071) happens on those ports for data transmission. As per RFC this is to allow new requests to be received by TFTP server.

                             

                            From what I see on network dumps so far, the original request always seem to start at port 2070 on the client side for first RRQ. The second RRQ goes to 2071, but I must capture a dump for where things work properly to see if there are any other ports required.

                             

                            Mike Jones I have the following ports allowed for traffic from client

                            67,69, 80, 445, 4011, 9831, 4750

                            as you can see from the network traces, it is not any of those ports. I have not hit the provisioning process yet when the port 445 or 80 is used. SMB over TCP should work on 445 and should not require 135/139 in theory :-) but I would know when I hit that portion.

                             

                            Edited the RFC... it had 150 instead of 1350

                            • 11. Re: bsa tftp server portrange
                              Bill Robinson

                              Ok – then maybe my iptables rules are handling it silently, but on my pxe server i only have 67-69/udp, 4011/udp and 80/tcp open.

                              • 12. Re: bsa tftp server portrange
                                Mike Jones

                                I agree that you shouldn't need 135-139 it should all work over the 445 - we just added these just in case without looking in too much detail

                                 

                                I suspect if you add the two way 2071-2080/UDP it should start working

                                • 13. Re: bsa tftp server portrange
                                  Raja Mohan

                                  Thanks, that was going to be my next step to allow traffic from 2070-71 to the tftp server.

                                   

                                  did you have to add anything specific on the tftp.conf for port range? I don't see those port range happening on the server side... just the client side.

                                  • 14. Re: bsa tftp server portrange
                                    Mike Jones

                                    Raja

                                     

                                    There is nothing special intftp.confso whatever is in there by default.

                                     

                                    There is a chance that all the ports and all the directions in my table above are not required, but I can confirm that this works if this is setupon a firewall

                                    As this is what we use as a standard

                                     

                                     

                                    1 2 Previous Next