TFTP server and port 69 UDP or TCP or Both

Unanswered Question
Sep 29th, 2005

If I want to write an access list (inbound)on a router to prevent users on the Ethernet LAN connected to e0 from accessing a TFTP server (10.1.1.15) located on the LAN connected to e1.

The extended access list on the Ethernet interface e0 (inbound), will be:

Access-list 101 deny udp (not tcp) 0.0.0.0 255.255.255.255 10.1.1.15 0.0.0.0 eq 69

Access-list 101 permit ip any any.

Do I need to add this line as well to the deny statement above?

Access-list 101 deny tcp (not udp) 0.0.0.0 255.255.255.255 10.1.1.15 0.0.0.0 eq 69

See the link below for that.

Under : “The following incoming access list will block these ports on your router”:

http://www.ibiblio.org/security/articles/ports.html

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (1 ratings)
Harold Ritter Thu, 09/29/2005 - 06:04

TFTP is udp based so there is no need for the deny tcp statement.

Let me know if I answered your question,

zillah2004 Thu, 09/29/2005 - 09:50

Thanks hritter

Could you please comment the link that I sent, because it has used udp as well as tcp!!!.

I have read a question for CCIE written preparation and they had used the udp and tcp as well.

Harold Ritter Thu, 09/29/2005 - 10:29

I think the document you included blindly denies both TCP and UDP ports for all protocols as defined in the following document:

http://www.iana.org/assignments/port-numbers

You see for instance protocols such as FTP and telnet reserve both TCP and UDP ports but are currently only implemented using TCP.

There is no implementation of TFTP using TCP port 69 that I know of. Specifying both UDP and TCP for TFTP in your ACL doesn't make a big difference if you only block a couple of protocols but could easily become a nightmare as your ACL grows.

Let me know if I answered your question,

zillah2004 Tue, 11/01/2005 - 02:12

((There is no implementation of TFTP using TCP port 69 that I know of.))

Do not you think the above is similar to one of the configuration that I found it in the Cisco Lab about DNS server:

Vista(config)# access-list 112 permit udp any host 172.16.1.2 eq domain.

Vista(config)# access-list 112 permit tcp any host 172.16.1.2 eq 53.

As you can see that for the DNS server in the first row he used udp and in the second row he used tcp ?

bellocarico Tue, 11/01/2005 - 02:55

zillah2004, I think your example is different, as DNS works on UDP for client queries and TCP for zone transfert between servers.

So it uses the same port, but has got different function on different layer 4 protocol.

Regards

zillah2004 Tue, 01/31/2006 - 00:36

((as DNS works on UDP for client queries and TCP for zone transfert between servers)).

Does it make any difference if the explaination syas:

(( Use the following

a- protocol udp to allow hosts to use the server for lookup requests on port 53.

b- protocol tcp to allow zone transfer on port 53 {my understanding is form server to client , not between servers} ))

Actions

Login or Register to take actions

This Discussion

Posted September 29, 2005 at 5:55 AM
Stats:
Replies:7 Avg. Rating:5
Views:6292 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard