[syslinux] src/dst TIDs static @ 69 ?
Jeffrey Hutzelman
jhutz at cmu.edu
Mon Nov 16 18:35:36 PST 2009
--On Monday, November 16, 2009 06:09:10 PM -0800 "H. Peter Anvin"
<hpa at zytor.com> wrote:
> On 11/16/2009 04:09 PM, Jim Freeman wrote:
>> At times our tftp servers are quite busy.
>> Our network folk are rebuilding, and are anxious to tighten security.
>>
>
> BTW, the notion that TFTP would be more secure if nailed down to port 69
> is probably best considered "preposterous".
Certainly. The difficulty is that people like use restrictive router ACL's
as part of a defense-in-depth strategy to reduce unwanted traffic and try
to protect machines from attack(*). Unfortunately, this is nearly
impossible with a stateless router ACL when "wanted traffic" includes TFTP.
I'd suggest asking your network folk to poke a large hole for the TFTP
server's IP address, possibly with a restricted range of return ports.
-- Jeff
(*) Another difficulty is that people like rely exclusively on restrictive
router ACL's for this purpose, but that's a rant for another time.
More information about the Syslinux
mailing list