HOWTO setup a small server

TFTPD-HPA (Trivial File Transfer Protocol Server)


A TFTP server is mainly required for booting operating systems or configurations over the network. The installation is done by:

# apt-get install tftpd-hpa

Server Configuration

The TFTP server can be started by one of two ways:

  1. directly as daemon, or
  2. via inetd.

In the first case, running as daemon, the line starting with tftp in /etc/inetd.conf has to be commented (described here for openbsd-inetd or compatible):

Excerpt: /etc/inetd.conf

#tftp dgram udp wait root /usr/sbin/in.tftpd /usr/sbin/in.tftpd -s /var/lib/tftpboot

and it has to be enabled in the init script's configuration:

Excerpt: /etc/default/tftpd-hpa


In the second case, running via inetd, the line starting with tftp in /etc/inetd.conf has to be uncommented (for Debian's default inet daemon openbsd-inetd):

Excerpt: /etc/inetd.conf

tftp dgram udp wait root /usr/sbin/in.tftpd /usr/sbin/in.tftpd -s /var/lib/tftpboot

and it has to be disabled in the init script's configuration:

Excerpt: /etc/default/tftpd-hpa


The root directory from where files can be downloaded by a client defaults to /var/lib/tftpboot. It can be changed to, e.g., to /new/tftp/root, if required:

Excerpt: /etc/default/tftpd-hpa

OPTIONS="-l -s /new/tftp/root"

Files can be put into this directory and downloaded from a client without passing this root directory in its requests.

Finally, restart openbsd-inetd and tftpd-hpa:

# /etc/init.d/openbsd-inetd restart
# /etc/init.d/tftpd-hpa restart

Server Testing

Put a file foo into the root directory of the TFTP server. Install a TFTP client:

# apt-get install tftp

and download the file (not neccessarily as root):

$ tftp
tftp> get foo
tftp> q

The file should now exist into your current working directory.

Networking Requirements

Prerequisite: Shorewall In case of a packet filter (Shorewall), you will have to permit access from the clients. The difficulties resulting from changing source/destination ports in TFTP are automatically handled by the netfilter NAT/Conntrack helper modules that are loaded by Shorewall by default.

Excerpt: /etc/shorewall/rules

ACCEPT		net		$FW		udp	69

and restart the packet filter:

# shorewall restart

Back to index.