Bugzilla – Bug 729793
TFTP server doesn't provide support for SuSEfirewall2
Last modified: 2013-03-22 10:00:07 UTC
I came across this article about configuring TFTP http://sellingfreesoftwareforaliving.blogspot.com/2011/11/install-and-configure-tftp-server-for.html and it says that it needs some manual steps in configuring firewall to make it work. Hard to say whether TFTP server actually ever did provide that support, but YaST configuration module expects that it does. SuSEfirewall2 provides quite interesting feature: Any package can define its own set of firewall rules needed for itself to work behind firewall. More info here: http://kobliha-suse.blogspot.com/2008/06/firewall-services-defined-by-packages.html I believe it would be enough include a new file /etc/sysconfig/SuSEfirewall2.d/services/tftp in the tftp package: --- cut --- ## Name: TFTP Server ## Description: Opens ports for tftp service. # space separated list of allowed UDP ports UDP="tftp" --- cut --- Please, correct me if more ports are needed.
I packaged the firewall rules as you suggested. However, when I launch the Yast tftp module and check "Open port in firewall", I still don't see port 69 listed among the allowed services/ports. In Yast log I find lines like this: [YCP] SuSEFirewall.ycp:2046 Undefined service 'tftp' or [YCP] SuSEFirewallServices.ycp:538 Uknown service 'tftp' Despite tftp being listed among the known services right bellow: "service:tftp":$["broadcast_ports":[], "description":"Opens ports for tftp ser vice.", "ip_protocols":[], "name":"TFTP Server", "rpc_ports":[], "tcp_ports":[], "udp_ports":["tftp"]] Do you have any ideas what could go wrong?
Well, "service:tftp" != "tftp" --> YaST code needs to be changed too. BTW, even if you allow TFTP service in firewall, you will still unable to see port 69 open in YaST Firewall (but you will be able to see it in iptables list).
Do you mean that this line should be changed to read "service:tftp"? http://svn.opensuse.org/viewvc/yast/trunk/tftp-server/src/dialogs.ycp?view=markup&pathrev=64460#l85 Then I don't understand why anything needed to be changed in the first place. SuSEFirewallServices.ycp does contain "udp_ports" : [ "tftp" ].
SuSEFirewallServices.ycp contains obsolete services maintained by this YCP module. Definition mentioned above is used only for converting old settings to new ones. This conversion is now obsolete as well as it's been done already. Anyway, if YaST TFTP Server wants to modify the firewall with CWM functionality, it has to use some service that exists and thats "service:tftp"
Additional info: service:$name has been added years ago to replace the old built-in services defined in SuSEFirewallServices YCP module. These old definitions have been already dropped.
I think my part is done here. Martin, should I assign this bug to you?
I'll fix that in Factory... In which version (tftp) has it been implemented?
I'll fixed it in devel project only, yet. So Factory.
Fixed in Factory, yast2-tftp-server 2.22.1
This is an autogenerated message for OBS integration: This bug (729793) was mentioned in https://build.opensuse.org/request/show/93601 Factory / yast2-tftp-server
*** Bug 609413 has been marked as a duplicate of this bug. ***
This is an autogenerated message for OBS integration: This bug (729793) was mentioned in https://build.opensuse.org/request/show/134139 Factory / atftp
Update released for: tftp, tftp-debuginfo, tftp-debugsource Products: SLE-DEBUGINFO 11-SP2 (i386, ia64, ppc64, s390x, x86_64) SLE-DESKTOP 11-SP2 (i386, x86_64) SLE-SERVER 11-SP2 (i386, ia64, ppc64, s390x, x86_64) SLES4VMWARE 11-SP2 (i386, x86_64)
Update released for: atftp, atftp-debuginfo, atftp-debugsource Products: SLE-DEBUGINFO 11-SP2 (i386, ia64, ppc64, s390x, x86_64) SLE-SERVER 11-SP2 (i386, ia64, ppc64, s390x, x86_64) SLES4VMWARE 11-SP2 (i386, x86_64)