RE: Access-list - Deny TFTP

From: Brian Dennis (brian@xxxxxx)
Date: Tue Jun 12 2001 - 14:48:30 GMT-3

• Next message: Mas Kato: "RE: Off Topic: Quiet before the storm?"
• Previous message: Chris Allen: "RE: Access-list - Deny TFTP"
• Maybe in reply to: Dean, Justin: "Access-list - Deny TFTP"
• Next in thread: DuBell, Robert ITC J633CT1: "RE: Access-list - Deny TFTP"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

   
Justin,
A TFTP client only sends the first packet to the TFTP server with a
destination UDP port of 69. The server never responds using port 69. The
server will use a UDP high port to respond back to the client's UDP high
port.

I teach this in my ACPC2 class which covers the security portion of the CCIE
lab. I find that a lot of the CCIE candidates don't fully understand how
TFTP really works and could get bitten in the lab on it. I would recommend
reading the RFC on TFTP. Also it's not a bad idea to break out a Sniffer and
capture a TFTP session.

Brian Dennis, CCIE #2210 (R&S)(ISP/Dial) CCSI #98640
5G Networks, Inc.
brian@5g.net

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
Dean, Justin
Sent: Tuesday, June 12, 2001 10:21 AM
To: 'ccielab@groupstudy.com'
Subject: RE: Access-list - Deny TFTP

I could of swore there was a bit of a trick in there because of the way tftp
changes to high ports after being established. If I can remember correctly
it became an issue when the requirements say something like: allow tftp from
network X and block everything else ..let me know if I am just way off
here. Thanks,
justin

-----Original Message-----
From: louie kouncar [mailto:lkouncar@UU.NET]
Sent: Tuesday, June 12, 2001 10:03 AM
To: 'Dean, Justin'; ccielab@groupstudy.com
Subject: RE: Access-list - Deny TFTP

Well,

TFTP uses UDP so you need the following:

access-list 101 deny udp any any eq tftp

Hope that helps...

Louie J. Kouncar
TCO3 Senior Data Center Engineer
WorldCom Web Hosting (Tysons)
W-703-343-6645
C-703-304-2460

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
Dean, Justin
Sent: Tuesday, June 12, 2001 12:34 PM
To: 'ccielab@groupstudy.com'
Subject: Access-list - Deny TFTP

I am drawing a blank and I can't remember the proper way to block TFTP in an
access list. Can someone help me out. Thanks,

Justin
**Please read:http://www.groupstudy.com/list/posting.html
**Please read:http://www.groupstudy.com/list/posting.html
**Please read:http://www.groupstudy.com/list/posting.html

• Next message: Mas Kato: "RE: Off Topic: Quiet before the storm?"
• Previous message: Chris Allen: "RE: Access-list - Deny TFTP"
• Maybe in reply to: Dean, Justin: "Access-list - Deny TFTP"
• Next in thread: DuBell, Robert ITC J633CT1: "RE: Access-list - Deny TFTP"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:31:23 GMT-3