When the OS hosting the tftp server is a linux CentOS 7 or RedHat 7 and dealing with tftp transfer issues, one of the troubleshooting steps to go through is security related. On a linux system besides the well known software firewall there is another layer of security at the OS level and is known as SELinux.
Until a tftp transfer is successful, both: firewall and SELinux can be turned off.
Firewall and SELinux should be tuned to allow tftp transfer after tftp test transfer is successfully performed.
systemctld stop firewalld turned off ==>> this is a valid statement for lab test purposes only!!!!<<==
systemctld disable firewald ==>> this is a valid statement for lab test purposes only!!!!<<==
find out SELinux stuatus with sestatus command
for turning off SELinux: vi /etc/selinux/config and set SELINUX=disabled use :wq! to exit and save.
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of three two values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected.
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
:wq! to exit
reboot shutdown -r now
after reboot check SELinux status
# getenforce
Disabled
set the ownership of the tftp root directory to nobody:nobody
chown nobody:nobody -R /tftpboot/
set the permission to 706, only root can read write and execute under the tftp root directory; the others can only read and write, this translates to: others can only put or get files to and from the tftp root directory without permission to run scripts or programs.
chmod 706 -R /path_to_tftp_root/
restart tftp and xinetd service:
systemctld restart xinetd
systemctld restart tftp
for permanent enablement of tftp use:
systemctld enable tftp
systemctld enable xinetd
checks tftp and xinetd status
systemctld status xinetd
systemctld status tftp
On cat 9300 9500 and 9600 platforms set the tftp source interface prior attempting tftp transfer
ip tftp source-interface GigabitEthernetx/y
choose a small block size to begin with, it can be increased upon successful attempt:
ip tftp blocksize 512-8192
ip tftp blocksize 1024
when copying a file to or from a Cisco device use the following command
copy tftp://IP_address/filename. # tftp server advertises the file;
when accessing TFTP server from the outside world, internal absolute path to the file is irrelevant and if used within the tftp transfer command will result in error like: file not found and unable to access the file.
