Firewall Wizards mailing list archives
Re: [FW1] Scary traffic - long
From: Hendrik Visage <hendrik () sdn co za>
Date: Mon, 21 Dec 1998 18:56:21 +0200
roger nebel wrote:
RFC 1350 (ftp://ftp.isi.edu/in-notes/rfc1350.txt) mentions nothing about broadcast, perhaps that's a local implementation deviation by someone...i'd be interested in how / where you've seen that use.
AFAIK: Sun machines make use of a broadcast to get the boot image: Procedure: 1) get IP address with RARP 2) send out broadcast tftp get image 3) bootparamd for root, install server and other info 4) mount root and continue I'm speaking under correction, but I think I've seen the Xyplex terminal servers also having asked for the image and parameters via broadcast (At that stage not much info except IP address, old BOOTP) Now the test (Solaris 2.6): # tftp tftp> get 255.255.255.255:abcdef.prm Received 4703 bytes in 0.1 seconds Now the interesting part: =================== # snoop myne|egrep -v "RLOGIN|RSTAT|TCP|RPC|NIS|NFS|NTP" Using device /dev/hme (promiscuous mode) myne -> BROADCAST TFTP Read "abcdef.prm" (netascii) mainman -> myne TFTP Data block 1 (512 bytes) myne -> BROADCAST TFTP Ack block 1 mainman -> myne TFTP Data block 2 (512 bytes) myne -> BROADCAST TFTP Ack block 2 mainman -> myne TFTP Data block 3 (512 bytes) myne -> BROADCAST TFTP Ack block 3 mainman -> myne TFTP Data block 4 (512 bytes) myne -> BROADCAST TFTP Ack block 4 mainman -> myne TFTP Data block 5 (512 bytes) myne -> BROADCAST TFTP Ack block 5 mainman -> myne TFTP Data block 6 (512 bytes) myne -> BROADCAST TFTP Ack block 6 mainman -> myne TFTP Data block 7 (512 bytes) myne -> BROADCAST TFTP Ack block 7 mainman -> myne TFTP Data block 8 (512 bytes) myne -> BROADCAST TFTP Ack block 8 mainman -> myne TFTP Data block 9 (512 bytes) myne -> BROADCAST TFTP Ack block 9 mainman -> myne TFTP Data block 10 (95 bytes) (last block) myne -> BROADCAST TFTP Ack block 10
Hendrik Visage wrote:AFAIK: Unfortunately, tftp DO have a broadcast "option", but it should be only in LAN context, it sends out the broadcast, and then all the tftpservers will check if they have the requested file, and then reply if they DO have the file. tftp is also "dangerous" in the sense that it's UDP, send out to a port, and the server sends out via another port. Not all that easy to have a stateful inspection code for tftp, and FW-1 doesn't handle it as "nicely" as "standard" ftp :((
Current thread:
- Scary traffic - long Chris Brenton (Dec 18)
- Re: [FW1] Scary traffic - long Norman Hoy (Dec 18)
- Re: [FW1] Scary traffic - long Chris Brenton (Dec 22)
- Re: [FW1] Scary traffic - long roger nebel (Dec 22)
- Re: [FW1] Scary traffic - long Hendrik Visage (Dec 22)
- Re: [FW1] Scary traffic - long roger nebel (Dec 22)
- Re: [FW1] Scary traffic - long Hendrik Visage (Dec 22)
- Re: [FW1] Scary traffic - long dreamwvr (Dec 23)
- Re: [FW1] Scary traffic - long Hendrik Visage (Dec 23)
- Re: [FW1] Scary traffic - long Chris Brenton (Dec 22)
- Re: [FW1] Scary traffic - long Norman Hoy (Dec 18)
- Re: [FW1] Scary traffic - long cbrenton (Dec 22)