[Ulf Lamping <ulf.lamping@xxxxxx>]

Darwin Roach S. wrote:
> Hello, a friend of mine and I were doing some captures on a VoIP ATA 
> device to find out which port the TFTP client was using to connect to 
> it�s TFTP Server (supposed to be 69), but when we saw the capture we 
> noticed that the capture showed a strange port as source port, like 
> 1134 or something (is not that one but something like that) and the 
> destination port was indeed 69, no I don�t get that, shouldn�t the 
> request come from the same por 69?, otherwise how can I set a firewall 
> for instance to block or allow that service in a network if the source 
> port is random or not 69?.
>  My friend tells me that it seems logical and said that even Http 
> would go out with any source port from the computer but as destination 
> por 80 for instance, then the NAT does it�s job and expects the answer 
> into that very port 80 from the web, but then translated the port 80 
> into the source port (any port other than 80) the original computer 
> has for that request. All of that doesn�t seem logical to me because 
> I�ve set many firewalls up and I know that if I block port 69 from LAN 
> to WAN then nobody will be able to use TFTP for instance same for port 
> 80 for HTTP and any other port, and the blocking can be from inside 
> the network to the outside or viceversa.
>  
> Can somebody please clarify this to me?
>  
> We used a RJ-45 Grandstream ATA for VoIP, connected into a network 
> card in a SUSE linux computer and that same computer connected into 
> the internet with another  card, so we could make the capture.
>  
> Thanks and sorry if I am being too basic or if the questions seems 
> stupid :)
The server will listen to packets on the tftp port 69. The client can 
choose any port it likes, usually a "random" port above around 1024 is 
used, that's how TCP and UDP works.

Please note that when sending packets the client will use the 
*destination* port 69, while the server uses *source* port 69 for the 
same "connection". So the source port is always the one the packet is 
coming from.

Both firewall and NAT will know the direction of the traffic so it's a 
different thing if the packet is coming from the LAN or the WAN.

Regards, ULFL