[Dnsmasq-discuss] Single-port mode for TFTP

Kurt H Maier khm at sciops.net
Tue Dec 31 17:33:59 GMT 2019

On Tue, Dec 31, 2019 at 09:36:58AM +0100, kvaps wrote:
> Of course you can use hostNetwork=true, but it is less secure and not
> redundant.

You can also use pipework or just correctly configure your firewall
rules.  Either load the conntrack modules for tftp and nat, or use
additional software to mark the traffic and configure the host system to
permit the marked packets through.

Not sure what you mean about less secure, but redundancy is easy to
achieve with tftp, since it's all udp and you can have more than one
service on hand.  IP migration doesn't do you much good in this case

> The packets are always sending to the client specific port. There is no put
> requests.
> What is actually broken? Example tcpdump:

The TID in the tftp packets is supposed to match the port it's sending
on.  This is how well-behaving tftp software can verify it's receiving
the correct packets.  The single-port stuff breaks down when, e.g.,
you're booting 1500 computers from a given tftpd.

It's always easier to write new code than to learn the existing tools.
It's just not a sustainable practice, especially when you're violating
standards in the process.


More information about the Dnsmasq-discuss mailing list