# [SOLVED]xinetd + tftp-hpa = nothing

## krokoziabla

I've tried it on three Gentoo machines.

Participants:

```
[ebuild   R    ] sys-apps/xinetd-2.3.15-r1  USE="perl tcpd -rpc" 0 kB

[ebuild   R    ] net-ftp/tftp-hpa-5.2-r1  USE="ipv6 readline tcpd (-selinux)" 0 kB
```

tftp-hpa's configuration

```
squirrel:9:0:/root# cat /etc/xinetd.d/tftp 

service tftp

{

        disable         = no

        socket_type     = dgram

        protocol        = udp

        wait            = yes

        user            = root

        server          = /usr/sbin/in.tftpd

        server_args     = -R 4096:32767 -s /tftpboot

}
```

xinetd is running.

If I try to download a file I get no response.

```
squirrel:8:0:/root# tftp localhost

tftp> get fie

Transfer timed out.

tftp> 
```

Wireshark says the clients requests is accepted by the network stack (meaning that the port is being indeed listened to) but there is no response after it.

/var/log/messages:

```
Mar 17 00:21:20 squirrel xinetd[2331]: START: tftp pid=3724 from=192.168.1.9

Mar 17 00:21:20 squirrel xinetd[3724]: FAIL: tftp address from=192.168.1.9

Mar 17 00:21:20 squirrel xinetd[2331]: EXIT: tftp status=0 pid=3724 duration=0(sec)
```

If I launch tftp-hpa as a daemon independently of xinetd it works perfectly fine.

What may be wrong?

----------

## khayyam

Vitaly ...

(wild guess) as you have the tcpd useflag set on xinetd tcp-wrappers will be used, what is in your hosts access files? You can check the current access rules with 'tcpdchk -v' ... my guess is there are no rules allowing tftp (it would also explain why tftp works outside if xinetd).

HTH & best ... khay

----------

## krokoziabla

Yes, it is my name   :Smile: 

tcpdchk hasn't reported anything wrong.

```
squirrel:4:0:/root# tcpdchk -v -i /etc/xinetd.conf 

Using network configuration file: /etc/xinetd.conf

squirrel:5:0:/root#
```

There's no such files in my /etc

You, know the same behaviour I have even on a clean setup of Gentoo.

----------

## khayyam

Vitaly ... yes, I know, its in your sig :)

The "hosts access files" are /etc/hosts.allow and /etc/hosts.deny. The fact that 'tcpdchk -v' reports no rules means there are none defined, which will equate to "deny all".

/etc/hosts.allow

```
in.tftpd: LOCAL, .my.domain
```

... see: 'man hosts.allow'

HTH & best ... khay

----------

## krokoziabla

Indeed, the problem was in the access rules!

I made something like this to make it work:

```
echo 'in.tftpd: ALL' > /etc/hosts.allow
```

I need to learn more about tcp-wrappers feature.

Thank you very much, khayyam!

----------

## krokoziabla

Hm, I was a little hasty.

I've learned also that xinetd has it's own access control mechanism which is influenced by only_from and no_access options of xinetd.conf. By default the global only_from equals localhost so only "tftp localhost" session would work.

So I have overridden only_from option in my /etc/xinetd.d/tftp file to value 0. And now I can download files from other hosts.

And also I think the absence of /etc/hosts.allow and /etc/hosts.deny files results in allowing any connection on tcp-wrappers layer. From man 5 hosts_access.

```
ACCESS CONTROL FILES

       The access control software consults two files. The search stops at the first match:

       ·      Access will be granted when a (daemon,client) pair matches an entry in the /etc/hosts.allow file.

       ·      Otherwise, access will be denied when a (daemon,client) pair matches an entry in the /etc/hosts.deny file.

       ·      Otherwise, access will be granted.

       A  non-existing  access  control file is treated as if it were an empty file. Thus, access control can be turned off by

       providing no access control files.

```

khayyam, do I understand correctly that support of tcp-wrappers by xinetd is mainly used for painless migration from inetd?

----------

## khayyam

 *krokoziabla wrote:*   

> And also I think the absence of /etc/hosts.allow and /etc/hosts.deny files results in allowing any connection on tcp-wrappers layer.

 

Vitaly ... its been some time since I used tcp-wrappers and back then hosts.allow and hosts.deny were installed with the default set to 'deny: ALL' ... anyhow, that was some time back so I could be mistaken.

 *krokoziabla wrote:*   

> do I understand correctly that support of tcp-wrappers by xinetd is mainly used for painless migration from inetd?

 

I imagine xinetd links to 'libwrap'. Previously tcp-wrappers were only used by services spawned by inetd ... with 'libwrap' this is nolonger the case as services that link to the lib don't require a service daemon to aquire 'wrapper' functionality. So, xinetd isn't needed for tcp-wrappers as some networked daemons (syslog-ng, sshd, socat, and others) can do this on their own ... xinetd is just a more advanced "service daemon" intended to replace and improve initd.

best ... khay

----------

## krokoziabla

Well, thank you khayyam. You gave me the right direction to search.

----------

