From owner-freebsd-net@FreeBSD.ORG Mon Jul 3 16:56:03 2006 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C15A316A407 for ; Mon, 3 Jul 2006 16:56:03 +0000 (UTC) (envelope-from quetzal@zone3000.net) Received: from mx1.sitevalley.com (sitevalley.com [209.67.60.43]) by mx1.FreeBSD.org (Postfix) with SMTP id 4318C44DD8 for ; Mon, 3 Jul 2006 16:56:03 +0000 (GMT) (envelope-from quetzal@zone3000.net) Received: from zone3000.kharkov.ua (HELO localhost) (217.144.68.98) by 209.67.61.254 with SMTP; 3 Jul 2006 16:56:02 -0000 Date: Mon, 3 Jul 2006 19:55:35 +0300 From: Nikolay Pavlov To: Maxim Konovalov Message-ID: <20060703165535.GB42198@zone3000.net> Mail-Followup-To: Nikolay Pavlov , Maxim Konovalov , freebsd-net@freebsd.org References: <20060703154113.GA28598@zone3000.net> <20060703201300.U57594@mp2.macomnet.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20060703201300.U57594@mp2.macomnet.net> User-Agent: Mutt/1.4.2.1i X-Operating-System: FreeBSD 6.1-RELEASE Cc: freebsd-net@freebsd.org Subject: Re: tftpd not working when net.inet.udp.blackhole=1 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 03 Jul 2006 16:56:03 -0000 On Monday, 3 July 2006 at 20:25:55 +0400, Maxim Konovalov wrote: > Hello, > > On Mon, 3 Jul 2006, 18:41+0300, Nikolay Pavlov wrote: > > > Hi folks. > > I have a strange problem with tftpd when using sysctl > > net.inet.udp.blackhole=1 It's not working with this variable enabled. > > > > I use tftp to upload images from my routers. Here is details of the > > problem: > > > > OS FreeBSD 6.0-RELEASE-p6 > > > > root@ipstat:~/projects/route_tools# sysctl net.inet.udp.blackhole=1 > > net.inet.udp.blackhole: 0 -> 1 > > > > telnet@fbi8000-Border-NY#copy running-conf tftp XX.XX.48.25 > > XX.XX.51.194.runcfg.new > > TFTP session timed out > > Error - can't upload running-config to TFTP server. > [...] > > Nice question indeed. I spent 20 minutes trying to get wtf is going > on. There are several moments: > > a) I guess you are running stock tftpd from inetd i.e. tftpd -s > /tftproot. In that case tftpd chroots to /tftproot. > > b) tftpd wants to resolve a peer ip address but there is no > /etc/resolv.conf in its new root directory so it asks 127.0.0.1 for > resolve. > > c) net.inet.udp.blackhole=1 forces the kernel just drop tftpd DNS > requests. > > d) From this point several timing issues starts: tftpd still trying to > resolve a client ip address, then gives up but now client gives up. > > I see several solutions: > > a) Don't use chroot. In general this is not good from security point > of view. > > b) Run a named @127.0.0.1. > > c) Put a valid resolv.conf to /tftpboot/etc/. > > d) Don't use net.inet.udp.blackhole=1. > > HTH. > > -- > Maxim Konovalov Hi Maxim. Thanks for quick answer. Named running on local interface fixed this issue. -- ========================================================================= = Best regards, Nikolay Pavlov. <<<------------------------------------ = =========================================================================