I have an embedded blackfin Linux board (Blackfin Forum) which I can download an image by TFTP from my Suse 10.1 server when everything is on the same subnet (192.168.0.1).
However I want to put this board on a DMZ zone which is on subnet 192.168.1.1.
I have set up the blackfin board as follows:
serverip 192.168.0.3 (this is the IP of my Suse server)
gatewayip 192.168.1.1 (card in smoothwall router)
ipaddr 192.168.1.2
I see the request come into the server but it is ignored and the log files say something about being an orphan request?
Some of these details I have forgotten as I have worked on this off and on again over the last six months.
I realize that Suse (IP 192.168.0.3) is getting this TFTP request from a different subnet (IP 192.168.1.2) and is dropping it.
I am also running the firewall on Suse (although it would not work even with the firewall off).
My question is, how do I set up the firewall to accept this blackfin request and load the TFTP image?
To me this is a very basic question that is done all the time but I cannot figure out how to do it? I find the YaST settings confusing and searching on the web over the months has not cleared up the confusion.
TFTP is a UDP. I think the port forwarding in Smoothwall (and similar routers) is designed to cater for TCP. You may have to write a couple of custom rules to add to Smoothwall. Can you dump the Smoothwall rules and locate the fowarding rule you put in to see if it specifies TCP or UDP?
I have a very hard time understanding iptables and in this case I am setting them up through the smoothwall web interface (this is how it is meant to be used).
Using the Smoothwall lingo, I believe I have set up “pinholes” from the DMZ network card to my internal card and looking at iptables.txt I think this is it:
Chain dmzholes (1 references)
target prot opt source destination
ACCEPT tcp – 192.168.1.2 192.168.0.3 state NEW tcp dpt:tftp
ACCEPT udp – 192.168.1.2 192.168.0.3 state NEW udp dpt:tftp
Looking at this you can see that I opened up both a UDP and TCP since I really am not sure what I am doing.
Shouldn’t need TCP but doesn’t hurt. I’m not sure how NEW interacts with UDP since there is no concept of a pipe in UDP, although you can track a connection. Anyway you can only give it a shot. If the web interface isn’t powerful enough you may have to insert some rules by hand. Also you might ask the Smoothwall forum whether the web interface can be used to create a UDP pinhole. (I don’t use Smoothwall, although I have in the past.)
I think I have learned something. If I plug the linux blackfin board (192.168.1.2) into my internal lan (192.168.0.1) where my Suse server is (192.168.0.3) running the TFTP server than it will load my blackfin board with a linux image.
And I see that being recorded in /var/log/xinetd.log.
So, to me that means the Suse server is doing what it should be doing and so the problem must be in the Smoothwall which I need to investigate further.
You could insert an accept all port 69 packets (in both directions) into the pinhole table (no NEW, etc) and see if that works. Unfortunately you will have to use the iptables CLI command to do this.
IPCop is derived from Smoothwall so it should be similar. I think the key module to load is the conntrack_tftp module, since NAT is not involved in going from green to orange DMZ.
Yes, a quick check of IPCop shows that the conntrack_tftp module does exist in netfilter, so you should load it, otherwise the firewall will not be able to let subsequent packets through after the NEW packet has been allowed through.