TFTP Server

The Trivial File Transfer Protocol (TFTP) is a simplified protocol used for transferring files over a network. It provides basic functionalities, unlike more complex protocols like FTP or SFTP. TFTP is commonly used for transferring firmware updates, configuration files, or boot files from a TFTP server to a TFTP client.

TFTP does not support authentication, encryption, or data compression, which is why it’s typically used only in secure and trusted network environments.

In the opsi context, the TFTP server supplies boot images to opsi clients. The default TFTP server for opsi is opsi-tftpd-hpa, and this package is automatically installed as part of the opsi-server-full package.

opsi-tftpd-hpa is configured to start automatically upon system boot by default. To stop the service, use the command sudo systemctl stop opsi-tftpd-hpa.service; to start it again, use sudo systemctl start opsi-tftpd-hpa.service.

The TFTP service typically runs with a verbose parameter for detailed logging. You can modify the log level for troubleshooting or analysis purposes. To adjust the log level, use the following command:

sudo systemctl edit --full opsi-tftpd-hpa.service

In your text editor, look for the line that starts with ExecStart. In this line, replace -v with --verbosity <log-level>. For example, use --verbosity 7 to get a very detailed log output. After making this change, restart the service with the following command:

sudo systemctl restart  opsi-tftpd-hpa.service

TFTP Ports and Firewall Configuration

The client initially establishes a connection to port 69 on the server for TFTP communication. However, the server doesn’t use port 69 to send any packets back. Instead, the client and server both select unique Transaction Identifiers (TIDs) for their subsequent communications. A TID is an identifier used to uniquely identify transactions. These TIDs correspond to UDP ports, ranging from 1024 to 65535. All further packets are then exchanged between the server’s TID port and the client’s TID port.

Therefore, the server’s firewall needs to be configured to allow incoming connections on port 69/udp for the initial contact. Additionally, UDP communication between the TID ports must also be allowed. The simplest method to achieve this is through the use of the kernel modules ip_conntrack_tftp or nf_conntrack_tftp, which help in managing and tracking the state of TFTP connections.