# [Solved] shorewall doesn't allow tftp

## solamour

I've been using dnsmasq, dnsmasq's built-in tftp, pxelinux to boot some of my machines over network. Then suddenly I'm getting the following error message from all clients.

```
pxe-e32 tftp open timeout
```

To make sure I'm not overlooking anything, I temporarily disabled shorewall, and sure enough, network booting started working. When shorewall is enabled, everything (except tftp) works as expected.

Here is the relevant rule in shorewall.

```
/etc/shorewall/rules:

TFTP/ACCEPT  loc  $FW

```

I haven't touched shorewall configuration files for a while, so I'm not sure what I did broke it. Any suggestions are welcome.

__

solLast edited by solamour on Tue Sep 28, 2010 12:42 am; edited 1 time in total

----------

## BradN

tftp uses udp, so if you have any rules that block udp, make sure to work around that.

----------

## solamour

To see what was happening, I looked at shorewall's log, and sure enough, the client was getting an IP, but tftp wasn't able to send the file to the client.

```
# grep -i 192.168.0.206 /var/log/everything/current

Sep 27 17:01:44 [dnsmasq-dhcp] DHCPOFFER(eth1) 192.168.0.206 08:00:27:8d:14:a7

Sep 27 17:01:46 [dnsmasq-dhcp] DHCPREQUEST(eth1) 192.168.0.206 08:00:27:8d:14:a7

Sep 27 17:01:46 [dnsmasq-dhcp] DHCPACK(eth1) 192.168.0.206 08:00:27:8d:14:a7

Sep 27 17:01:46 [dnsmasq-tftp] sent /var/tftp/pxelinux.0 to 192.168.0.206

Sep 27 17:01:46 [kernel] [1612115.727417] Shorewall:all2all:REJECT:IN= OUT=eth1 SRC=192.168.0.254 DST=192.168.0.206 LEN=42 TOS=0x00 PREC=0x00 TTL=64 ID=2697 PROTO=UDP SPT=33511 DPT=2070 LEN=22

Sep 27 17:01:48 [kernel] [1612117.480613] Shorewall:all2all:REJECT:IN= OUT=eth1 SRC=192.168.0.254 DST=192.168.0.206 LEN=42 TOS=0x00 PREC=0x00 TTL=64 ID=2698 PROTO=UDP SPT=33511 DPT=2070 LEN=22

Sep 27 17:01:48 [dnsmasq-tftp] sent /var/tftp/pxelinux.0 to 192.168.0.206

Sep 27 17:01:48 [kernel] [1612117.747532] Shorewall:all2all:REJECT:IN= OUT=eth1 SRC=192.168.0.254 DST=192.168.0.206 LEN=42 TOS=0x00 PREC=0x00 TTL=64 ID=2699 PROTO=UDP SPT=49197 DPT=2071 LEN=22

Sep 27 17:01:50 [kernel] [1612119.251101] Shorewall:all2all:REJECT:IN= OUT=eth1 SRC=192.168.0.254 DST=192.168.0.206 LEN=42 TOS=0x00 PREC=0x00 TTL=64 ID=2700 PROTO=UDP SPT=49197 DPT=2071 LEN=22

Sep 27 17:01:51 [kernel] [1612120.252569] Shorewall:all2all:REJECT:IN= OUT=eth1 SRC=192.168.0.254 DST=192.168.0.206 LEN=42 TOS=0x00 PREC=0x00 TTL=64 ID=2701 PROTO=UDP SPT=33511 DPT=2070 LEN=22

Sep 27 17:01:53 [kernel] [1612122.255633] Shorewall:all2all:REJECT:IN= OUT=eth1 SRC=192.168.0.254 DST=192.168.0.206 LEN=42 TOS=0x00 PREC=0x00 TTL=64 ID=2702 PROTO=UDP SPT=49197 DPT=2071 LEN=22

```

I thought "TFTP/ACCEPT  loc  $FW" in "/etc/shorewall/rules" was enough for network booting to work, but apparently that doesn't seem to be the case.

I added the following, and the problem went away.

```
/etc/shorewall/policy:

$FW   loc   ACCEPT

```

This is somewhat strange, because it worked well in the past without the extra policy. Something must have changed during "emerge -vDu world". Thank you everyone for your response.

__

sol

----------

## solamour

I did further reading, and here is what I found.

Instead of allowing all traffic from "$FW" to "loc", I think it's better if we allow only what's needed. For example, with the following line, I can restrict what port TFTP will use (only 2070, in this case).

```
/etc/dnsmasq.conf:

tftp-port-range=2070,2070
```

Then shorewall allows traffic from "$FW" to "loc", only when it's UDP and source port is 2070.

```
/etc/shorewall/rules:

ACCEPT   $FW   loc   udp   -   2070
```

__

sol

----------

## BradN

It's good you got it sorted  :Smile: 

----------

## solamour

BradN:

Your tip on "TFTP is using UDP" was the key. Thank you.

__

sol

----------

