Re: TFTP, NAT
From: Aditya Ivaturi (aivaturi_at_aijalon.net)
Date: 10/13/04
- Next message: Aditya Ivaturi: "Re: SNAT in PREROUTING chain?"
- Previous message: Ian Northeast: "Re: NIS client question"
- In reply to: Vicky: "TFTP, NAT"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Wed, 13 Oct 2004 19:27:37 GMT
> Is it possible to get TFTPd working through NAT?
> If yes, how to do this?
With NAT yes, but behind a firewall, you have to have a very good reason.
> In other words, he claims that a NAT entry for UDP *by design* can only
> accomodate return packets from the specific IP/port combination that
> was the destination of the UDP packet that caused the entry to be created.
> This clearly breaks TFTP, which specifies that responses from the server
> come from a separate socket with a unique TID (port) for the ``session''.
Your sysadmin is right. Sysadmins generally are not too happy (includes me)
to
allow a connectionless protocol which uses UDP like TFTP. A TCP based
protocol such as FTP going
through a firewall is much more agreeable. Just allowing udp port 69 does
not work, the destination port will
change after the first packet are sent.
> Is this truly how NAT is intended to work with UDP? Or is our Cisco
> router just mis-configured in some subtle way?
One solution might be to try "secure tunneling" (I have not tried it). I
don't know how much of it is supported in your router.
--Turi
- Next message: Aditya Ivaturi: "Re: SNAT in PREROUTING chain?"
- Previous message: Ian Northeast: "Re: NIS client question"
- In reply to: Vicky: "TFTP, NAT"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
