tftpd not working when net.inet.udp.blackhole=1

[Nikolay Pavlov]

On Monday,  3 July 2006 at 20:25:55 +0400, Maxim Konovalov wrote:
> Hello,
> 
> On Mon, 3 Jul 2006, 18:41+0300, Nikolay Pavlov wrote:
> 
> > Hi folks.
> > I have a strange problem with tftpd when using sysctl
> > net.inet.udp.blackhole=1 It's not working with this variable enabled.
> >
> > I use tftp to upload images from my routers. Here is details of the
> > problem:
> >
> > OS FreeBSD 6.0-RELEASE-p6
> >
> > root at ipstat:~/projects/route_tools# sysctl net.inet.udp.blackhole=1
> > net.inet.udp.blackhole: 0 -> 1
> >
> > telnet at fbi8000-Border-NY#copy running-conf tftp XX.XX.48.25
> > XX.XX.51.194.runcfg.new
> > TFTP session timed out
> > Error - can't upload running-config to TFTP server.
> [...]
> 
> Nice question indeed.  I spent 20 minutes trying to get wtf is going
> on.  There are several moments:
> 
> a) I guess you are running stock tftpd from inetd i.e. tftpd -s
> /tftproot.  In that case tftpd chroots to /tftproot.
> 
> b) tftpd wants to resolve a peer ip address but there is no
> /etc/resolv.conf in its new root directory so it asks 127.0.0.1 for
> resolve.
> 
> c) net.inet.udp.blackhole=1 forces the kernel just drop tftpd DNS
> requests.
> 
> d) From this point several timing issues starts: tftpd still trying to
> resolve a client ip address, then gives up but now client gives up.
> 
> I see several solutions:
> 
> a) Don't use chroot.  In general this is not good from security point
> of view.
> 
> b) Run a named @127.0.0.1.
> 
> c) Put a valid resolv.conf to /tftpboot/etc/.
> 
> d) Don't use net.inet.udp.blackhole=1.
> 
> HTH.
> 
> -- 
> Maxim Konovalov

Hi Maxim. Thanks for quick answer. 
Named running on local interface fixed this issue.


-- 
========================================================================= 
= Best regards, Nikolay Pavlov. <<<------------------------------------ = 
=========================================================================