Firewall Wizards mailing list archives

Re: [FW1] Scary traffic - long

From: Hendrik Visage <hendrik () sdn co za>
Date: Mon, 21 Dec 1998 18:56:21 +0200

roger nebel wrote:

RFC 1350 (ftp://ftp.isi.edu/in-notes/rfc1350.txt) mentions nothing about
broadcast, perhaps that's a local implementation deviation by
someone...i'd be interested in how / where you've seen that use.


AFAIK: Sun machines make use of a broadcast to get the boot image:
Procedure:
 1) get IP address with RARP
 2) send out broadcast tftp get image
 3) bootparamd for root, install server and other info
 4) mount root and continue

I'm speaking under correction, but I think I've seen the Xyplex terminal servers also
having asked for the image and parameters via broadcast (At that stage not much info
except IP address, old BOOTP)

Now the test (Solaris 2.6):

# tftp
tftp> get 255.255.255.255:abcdef.prm
Received 4703 bytes in 0.1 seconds

Now the interesting part:
===================
# snoop myne|egrep -v "RLOGIN|RSTAT|TCP|RPC|NIS|NFS|NTP"
Using device /dev/hme (promiscuous mode)
        myne -> BROADCAST    TFTP Read "abcdef.prm" (netascii)
     mainman -> myne         TFTP Data block 1 (512 bytes)
        myne -> BROADCAST    TFTP Ack  block 1
     mainman -> myne         TFTP Data block 2 (512 bytes)
        myne -> BROADCAST    TFTP Ack  block 2
     mainman -> myne         TFTP Data block 3 (512 bytes)
        myne -> BROADCAST    TFTP Ack  block 3
     mainman -> myne         TFTP Data block 4 (512 bytes)
        myne -> BROADCAST    TFTP Ack  block 4
     mainman -> myne         TFTP Data block 5 (512 bytes)
        myne -> BROADCAST    TFTP Ack  block 5
     mainman -> myne         TFTP Data block 6 (512 bytes)
        myne -> BROADCAST    TFTP Ack  block 6
     mainman -> myne         TFTP Data block 7 (512 bytes)
        myne -> BROADCAST    TFTP Ack  block 7
     mainman -> myne         TFTP Data block 8 (512 bytes)
        myne -> BROADCAST    TFTP Ack  block 8
     mainman -> myne         TFTP Data block 9 (512 bytes)
        myne -> BROADCAST    TFTP Ack  block 9
     mainman -> myne         TFTP Data block 10 (95 bytes) (last block)
        myne -> BROADCAST    TFTP Ack  block 10

Hendrik Visage wrote:


AFAIK: Unfortunately, tftp DO have a broadcast "option", but it should be only in LAN
context, it sends out the broadcast, and then all the tftpservers will check if they
have the requested file, and then reply if they DO have the file.

tftp is also "dangerous" in the sense that it's UDP, send out to a port, and the
server sends out via another port. Not all that easy to have a stateful inspection
code for tftp, and FW-1 doesn't handle it as "nicely" as "standard" ftp :((

Current thread:

Scary traffic - long Chris Brenton (Dec 18)
- Re: [FW1] Scary traffic - long Norman Hoy (Dec 18)
  - Re: [FW1] Scary traffic - long Chris Brenton (Dec 22)
    - Re: [FW1] Scary traffic - long roger nebel (Dec 22)
    - Re: [FW1] Scary traffic - long Hendrik Visage (Dec 22)
    - Re: [FW1] Scary traffic - long roger nebel (Dec 22)
    - Re: [FW1] Scary traffic - long Hendrik Visage (Dec 22)
    - Re: [FW1] Scary traffic - long dreamwvr (Dec 23)
    - Re: [FW1] Scary traffic - long Hendrik Visage (Dec 23)
    - Re: [FW1] Scary traffic - long cbrenton (Dec 22)