(Image Source Google)

Trivial File Transfer Protocol (TFTP) is an Internet software utility for transferring files that is simpler to use than the File Transfer Protocol (FTP) but less capable. It is used where user authentication and directory visibility are not required. TFTP uses the User Datagram Protocol (UDP) rather than the Transmission Control Protocol (TCP). TFTP is described formally in Request for Comments (RFC) 1350.

 1. Install tftp-server

TFTP server can be installed using following command, where xinetd is necessary.

# yum install tftp tftp-server* xinetd*

Then edit /etc/xinetd.d/tftp – set disable to no and add -c option into server_args if you need to upload files to TFTP server from client.

# vim /etc/xinetd.d/tftp

service tftp
         socket_type = dgram
         protocol = udp
         wait = yes
         user = root
         server = /usr/sbin/in.tftpd
         server_args = -c -s /tftpboot
         disable = no
         per_source = 15
         cps = 80 2
         flags = IPv4

2. Enable and Start TFTP Service

[root@server0 home]# systemctl enable xinetd
[root@server0 home]# systemctl enable tftp

[root@server0 home]# systemctl start xinetd
[root@server0 home]# systemctl start tftp

After these two commands, permanent links will be made for xinetd and TFTP services.
3. Configure SELinux

In RHEL 7.0/CentOS 7, the SELinux is not supposed to be disabled(the system will abort booting if you disable SELinux). So the TFTP read and write must be allowed in SELinux. By default, the SELinux uses enforcing policy, which does not accept any change. To make any change to SELinux, first modify /etc/selinux/config and change the policy to permissive:

# vim /etc/selinux/config

         # This file controls the state of SELinux on the system.
         # SELINUX= can take one of these three values:
         # enforcing – SELinux security policy is enforced.
         # permissive – SELinux prints warnings instead of enforcing.
         # disabled – No SELinux policy is loaded.
         # SELINUXTYPE= can take one of three two values:
         # targeted – Targeted processes are protected,
         # minimum – Modification of targeted policy. Only selected processes are protected.
         # mls – Multi Level Security protection.


Then reboot the system, and check SELinux status:

# sestatus
SELinux status: enabled
         SELinuxfs mount: /sys/fs/selinux
         SELinux root directory: /etc/selinux
         Loaded policy name: targeted
         Current mode: permissive
         Mode from config file: permissive
         Policy MLS status: enabled
         Policy deny_unknown status: allowed
         Max kernel policy version: 28

Then check the tftp permissions in SELinux:

# getsebool -a | grep tftp
tftp_anon_write –> off
         tftp_home_dir –> off

If the TFTP write is off as shown above, enable it with setsebool command:

# setsebool -P tftp_anon_write 1
# setsebool -P tftp_home_dir 1

Above changes to SELinux are permanent, so no need to change any SELinux config files any more.
4. Configure firewalld

Allow TFTP services, following line should be added to /etc/sysconfig/iptables

#vim /etc/sysconfig/iptables

       -A INPUT -m state –state NEW -m udp -p udp -m udp –dport 69 -j ACCEPT

Then restart firewalld using command firewall-cmd –reload.

# firewall-cmd –reload

A more standard way to allow TFTP is to use firewall-cmd command:

# firewall-cmd –zone=public –add-service=tftp –permanent

Where the –permanent option is used to permanently enable the TFTP port. Command firewall-cmd –reload is needed every time changing the firewall config.

To check the status or enable firewalld, following commands can be used:

# systemctl status firewalld
# systemctl enable firewalld
# systemctl start firewalld

Please follow and like us: