[syslinux] src/dst TIDs static @ 69 ?
H. Peter Anvin
hpa at zytor.com
Mon Nov 16 19:01:33 PST 2009
On 11/16/2009 06:35 PM, Jeffrey Hutzelman wrote:
> --On Monday, November 16, 2009 06:09:10 PM -0800 "H. Peter Anvin"
> <hpa at zytor.com> wrote:
>
>> On 11/16/2009 04:09 PM, Jim Freeman wrote:
>>> At times our tftp servers are quite busy.
>>> Our network folk are rebuilding, and are anxious to tighten security.
>>>
>>
>> BTW, the notion that TFTP would be more secure if nailed down to port 69
>> is probably best considered "preposterous".
>
> Certainly. The difficulty is that people like use restrictive router
> ACL's as part of a defense-in-depth strategy to reduce unwanted traffic
> and try to protect machines from attack(*). Unfortunately, this is
> nearly impossible with a stateless router ACL when "wanted traffic"
> includes TFTP.
>
> I'd suggest asking your network folk to poke a large hole for the TFTP
> server's IP address, possibly with a restricted range of return ports.
>
> -- Jeff
>
> (*) Another difficulty is that people like rely exclusively on
> restrictive router ACL's for this purpose, but that's a rant for
> another time.
>
Yes, using stateless ACLs instead of connection tracking makes it hard.
Just carving out a chunk of the UDP portspace for TFTP is a better solution.
-hpa
--
H. Peter Anvin, Intel Open Source Technology Center
I work for Intel. I don't speak on their behalf.
More information about the Syslinux
mailing list