Firewall Wizards mailing list archives
Re: [FW1] Scary traffic - long
From: Hendrik Visage <hendrik () sdn co za>
Date: Wed, 23 Dec 1998 11:50:52 +0200
dreamwvr wrote:
hi all, last time i 'snoop'ed this was the exchange being made for javastations. But that was a while ago it looks to be a simular scenario.
Gues what? Javastations are (mostly) Sun machines which needs to get their boot images ;) GReetz Hendrik
Regards, dreamwvr () dreamwvr com At 06:56 PM 12/21/98 +0200, Hendrik Visage wrote:roger nebel wrote:RFC 1350 (ftp://ftp.isi.edu/in-notes/rfc1350.txt) mentions nothing about broadcast, perhaps that's a local implementation deviation by someone...i'd be interested in how / where you've seen that use.AFAIK: Sun machines make use of a broadcast to get the boot image: Procedure: 1) get IP address with RARP 2) send out broadcast tftp get image 3) bootparamd for root, install server and other info 4) mount root and continue I'm speaking under correction, but I think I've seen the Xyplex terminalservers alsohaving asked for the image and parameters via broadcast (At that stage notmuch infoexcept IP address, old BOOTP) Now the test (Solaris 2.6): # tftp tftp> get 255.255.255.255:abcdef.prm Received 4703 bytes in 0.1 seconds Now the interesting part: =================== # snoop myne|egrep -v "RLOGIN|RSTAT|TCP|RPC|NIS|NFS|NTP" Using device /dev/hme (promiscuous mode) myne -> BROADCAST TFTP Read "abcdef.prm" (netascii) mainman -> myne TFTP Data block 1 (512 bytes) myne -> BROADCAST TFTP Ack block 1 mainman -> myne TFTP Data block 2 (512 bytes) myne -> BROADCAST TFTP Ack block 2 mainman -> myne TFTP Data block 3 (512 bytes) myne -> BROADCAST TFTP Ack block 3 mainman -> myne TFTP Data block 4 (512 bytes) myne -> BROADCAST TFTP Ack block 4 mainman -> myne TFTP Data block 5 (512 bytes) myne -> BROADCAST TFTP Ack block 5 mainman -> myne TFTP Data block 6 (512 bytes) myne -> BROADCAST TFTP Ack block 6 mainman -> myne TFTP Data block 7 (512 bytes) myne -> BROADCAST TFTP Ack block 7 mainman -> myne TFTP Data block 8 (512 bytes) myne -> BROADCAST TFTP Ack block 8 mainman -> myne TFTP Data block 9 (512 bytes) myne -> BROADCAST TFTP Ack block 9 mainman -> myne TFTP Data block 10 (95 bytes) (last block) myne -> BROADCAST TFTP Ack block 10Hendrik Visage wrote:AFAIK: Unfortunately, tftp DO have a broadcast "option", but it shouldbe only in LANcontext, it sends out the broadcast, and then all the tftpservers willcheck if theyhave the requested file, and then reply if they DO have the file. tftp is also "dangerous" in the sense that it's UDP, send out to aport, and theserver sends out via another port. Not all that easy to have astateful inspectioncode for tftp, and FW-1 doesn't handle it as "nicely" as "standard"ftp :((Reuters, London, February 29, 1998: Scientists have announced discovering a meteorite which will strike the earth in March, 2028. Millions of UNIX coders expressed relief for being spared the UNIX epoch "crisis" of 2038. _______________________________________________________________________ DREAMWVR.COM - TOTAL WEB INTEGRATION, DEVELOPMENT, DESIGN SERVICES. Featuring Website Development and Web Strategies of a TOP Developer <http://www.dreamwvr.com/dynamicduo.html> <mailto:dreamwvr () dreamwvr com> "As Unique as the Company You Keep." "===0 PGP Key Available ________________________________________________________________________
Current thread:
- Scary traffic - long Chris Brenton (Dec 18)
- Re: [FW1] Scary traffic - long Norman Hoy (Dec 18)
- Re: [FW1] Scary traffic - long Chris Brenton (Dec 22)
- Re: [FW1] Scary traffic - long roger nebel (Dec 22)
- Re: [FW1] Scary traffic - long Hendrik Visage (Dec 22)
- Re: [FW1] Scary traffic - long roger nebel (Dec 22)
- Re: [FW1] Scary traffic - long Hendrik Visage (Dec 22)
- Re: [FW1] Scary traffic - long dreamwvr (Dec 23)
- Re: [FW1] Scary traffic - long Hendrik Visage (Dec 23)
- Re: [FW1] Scary traffic - long Chris Brenton (Dec 22)
- Re: [FW1] Scary traffic - long Norman Hoy (Dec 18)
- Re: [FW1] Scary traffic - long cbrenton (Dec 22)