Date: Mon, 3 Jul 2006 20:25:55 +0400 (MSD) From: Maxim Konovalov <maxim@macomnet.ru> To: Nikolay Pavlov <quetzal@zone3000.net> Cc: freebsd-net@freebsd.org Subject: Re: tftpd not working when net.inet.udp.blackhole=1 Message-ID: <20060703201300.U57594@mp2.macomnet.net> In-Reply-To: <20060703154113.GA28598@zone3000.net> References: <20060703154113.GA28598@zone3000.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Hello, On Mon, 3 Jul 2006, 18:41+0300, Nikolay Pavlov wrote: > Hi folks. > I have a strange problem with tftpd when using sysctl > net.inet.udp.blackhole=1 It's not working with this variable enabled. > > I use tftp to upload images from my routers. Here is details of the > problem: > > OS FreeBSD 6.0-RELEASE-p6 > > root@ipstat:~/projects/route_tools# sysctl net.inet.udp.blackhole=1 > net.inet.udp.blackhole: 0 -> 1 > > telnet@fbi8000-Border-NY#copy running-conf tftp XX.XX.48.25 > XX.XX.51.194.runcfg.new > TFTP session timed out > Error - can't upload running-config to TFTP server. [...] Nice question indeed. I spent 20 minutes trying to get wtf is going on. There are several moments: a) I guess you are running stock tftpd from inetd i.e. tftpd -s /tftproot. In that case tftpd chroots to /tftproot. b) tftpd wants to resolve a peer ip address but there is no /etc/resolv.conf in its new root directory so it asks 127.0.0.1 for resolve. c) net.inet.udp.blackhole=1 forces the kernel just drop tftpd DNS requests. d) From this point several timing issues starts: tftpd still trying to resolve a client ip address, then gives up but now client gives up. I see several solutions: a) Don't use chroot. In general this is not good from security point of view. b) Run a named @127.0.0.1. c) Put a valid resolv.conf to /tftpboot/etc/. d) Don't use net.inet.udp.blackhole=1. HTH. -- Maxim Konovalov
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060703201300.U57594>