| View previous topic :: View next topic |
| Author |
Message |
krokoziabla
n00b
Joined: 09 May 2013
Posts: 40
Location: Russia
|
 Posted: Sun Mar 16, 2014 8:28 pm Post subject: [SOLVED]xinetd + tftp-hpa = nothing |
 |
|
I've tried it on three Gentoo machines.
Participants:
| Code: | [ebuild R ] sys-apps/xinetd-2.3.15-r1 USE="perl tcpd -rpc" 0 kB
[ebuild R ] net-ftp/tftp-hpa-5.2-r1 USE="ipv6 readline tcpd (-selinux)" 0 kB |
tftp-hpa's configuration
| Code: | squirrel:9:0:/root# cat /etc/xinetd.d/tftp
service tftp
{
disable = no
socket_type = dgram
protocol = udp
wait = yes
user = root
server = /usr/sbin/in.tftpd
server_args = -R 4096:32767 -s /tftpboot
} |
xinetd is running.
If I try to download a file I get no response.
| Code: | squirrel:8:0:/root# tftp localhost
tftp> get fie
Transfer timed out.
tftp> |
Wireshark says the clients requests is accepted by the network stack (meaning that the port is being indeed listened to) but there is no response after it.
/var/log/messages:
| Code: | Mar 17 00:21:20 squirrel xinetd[2331]: START: tftp pid=3724 from=192.168.1.9
Mar 17 00:21:20 squirrel xinetd[3724]: FAIL: tftp address from=192.168.1.9
Mar 17 00:21:20 squirrel xinetd[2331]: EXIT: tftp status=0 pid=3724 duration=0(sec) |
If I launch tftp-hpa as a daemon independently of xinetd it works perfectly fine.
What may be wrong?
_________________
Vitaly
Last edited by krokoziabla on Mon Mar 17, 2014 7:16 am; edited 1 time in total |
|
| Back to top |
|
 |
khayyam
Watchman
Joined: 07 Jun 2012
Posts: 6227
Location: Room 101
|
| Posted: Sun Mar 16, 2014 9:05 pm Post subject: |
|
|
Vitaly ...
(wild guess) as you have the tcpd useflag set on xinetd tcp-wrappers will be used, what is in your hosts access files? You can check the current access rules with 'tcpdchk -v' ... my guess is there are no rules allowing tftp (it would also explain why tftp works outside if xinetd).
HTH & best ... khay |
|
| Back to top |
|
|
krokoziabla
n00b
Joined: 09 May 2013
Posts: 40
Location: Russia
|
| Posted: Sun Mar 16, 2014 9:15 pm Post subject: |
|
|
Yes, it is my name 
tcpdchk hasn't reported anything wrong.
| Code: | squirrel:4:0:/root# tcpdchk -v -i /etc/xinetd.conf
Using network configuration file: /etc/xinetd.conf
squirrel:5:0:/root# |
There's no such files in my /etc
You, know the same behaviour I have even on a clean setup of Gentoo.
_________________
Vitaly |
|
| Back to top |
|
|
khayyam
Watchman
Joined: 07 Jun 2012
Posts: 6227
Location: Room 101
|
| Posted: Sun Mar 16, 2014 10:10 pm Post subject: |
|
|
Vitaly ... yes, I know, its in your sig :)
The "hosts access files" are /etc/hosts.allow and /etc/hosts.deny. The fact that 'tcpdchk -v' reports no rules means there are none defined, which will equate to "deny all".
/etc/hosts.allow
| Code: | | in.tftpd: LOCAL, .my.domain |
... see: 'man hosts.allow'
HTH & best ... khay |
|
| Back to top |
|
|
krokoziabla
n00b
Joined: 09 May 2013
Posts: 40
Location: Russia
|
| Posted: Mon Mar 17, 2014 7:15 am Post subject: |
|
|
Indeed, the problem was in the access rules!
I made something like this to make it work:
| Code: | | echo 'in.tftpd: ALL' > /etc/hosts.allow |
I need to learn more about tcp-wrappers feature.
Thank you very much, khayyam!
_________________
Vitaly |
|
| Back to top |
|
|
krokoziabla
n00b
Joined: 09 May 2013
Posts: 40
Location: Russia
|
| Posted: Mon Mar 17, 2014 9:40 am Post subject: |
|
|
Hm, I was a little hasty.
I've learned also that xinetd has it's own access control mechanism which is influenced by only_from and no_access options of xinetd.conf. By default the global only_from equals localhost so only "tftp localhost" session would work.
So I have overridden only_from option in my /etc/xinetd.d/tftp file to value 0. And now I can download files from other hosts.
And also I think the absence of /etc/hosts.allow and /etc/hosts.deny files results in allowing any connection on tcp-wrappers layer. From man 5 hosts_access.
| Code: | ACCESS CONTROL FILES
The access control software consults two files. The search stops at the first match:
· Access will be granted when a (daemon,client) pair matches an entry in the /etc/hosts.allow file.
· Otherwise, access will be denied when a (daemon,client) pair matches an entry in the /etc/hosts.deny file.
· Otherwise, access will be granted.
A non-existing access control file is treated as if it were an empty file. Thus, access control can be turned off by
providing no access control files.
|
khayyam, do I understand correctly that support of tcp-wrappers by xinetd is mainly used for painless migration from inetd?
_________________
Vitaly |
|
| Back to top |
|
|
khayyam
Watchman
Joined: 07 Jun 2012
Posts: 6227
Location: Room 101
|
| Posted: Mon Mar 17, 2014 12:46 pm Post subject: |
|
|
| krokoziabla wrote: | | And also I think the absence of /etc/hosts.allow and /etc/hosts.deny files results in allowing any connection on tcp-wrappers layer. |
Vitaly ... its been some time since I used tcp-wrappers and back then hosts.allow and hosts.deny were installed with the default set to 'deny: ALL' ... anyhow, that was some time back so I could be mistaken.
| krokoziabla wrote: | | do I understand correctly that support of tcp-wrappers by xinetd is mainly used for painless migration from inetd? |
I imagine xinetd links to 'libwrap'. Previously tcp-wrappers were only used by services spawned by inetd ... with 'libwrap' this is nolonger the case as services that link to the lib don't require a service daemon to aquire 'wrapper' functionality. So, xinetd isn't needed for tcp-wrappers as some networked daemons (syslog-ng, sshd, socat, and others) can do this on their own ... xinetd is just a more advanced "service daemon" intended to replace and improve initd.
best ... khay |
|
| Back to top |
|
|
krokoziabla
n00b
Joined: 09 May 2013
Posts: 40
Location: Russia
|
| Posted: Mon Mar 17, 2014 12:50 pm Post subject: |
|
|
Well, thank you khayyam. You gave me the right direction to search.
_________________
Vitaly |
|
| Back to top |
|
|
|
Networking & Security
