Home / TFTP “Transfer timed out” with firewalld in CentOS 7 and 8

TFTP “Transfer timed out” with firewalld in CentOS 7 and 8

You are facing an issue while accessing TFTP server, getting 'Transfer timed out' error while put and get. But it works after disabling the firewall. Follow the following steps to resolve this error.
Remove the not working TFTP client service.
firewall-cmd --remove-service tftp-client

Two possible solutions can be applied based on your CentOS version.

CentOS 7 & 8

Add an outgoing rule to match the TFTP protocol to the TFTP conntrack helper, eg:
firewall-cmd --direct --add-rule ipv4 raw OUTPUT 1 -p udp --dport 69 -j CT --helper tftp
firewall-cmd --runtime-to-permanent

CentOS 8.5 & Later

You could also use firewalld's new output policy filters to match TFTP to the helper:
firewall-cmd --permanent --new-policy tftp-client-data
firewall-cmd --permanent --policy tftp-client-data --add-ingress-zone HOST
firewall-cmd --permanent --policy tftp-client-data --add-egress-zone ANY
firewall-cmd --permanent --policy tftp-client-data --add-service tftp
firewall-cmd --reload

By matching the outgoing traffic to the TFTP conntrack helper in the aforementioned fix, this issue is resolved and the incoming state match for "related and established" traffic later recognizes the TFTP server's reply as being permitted in the firewall.

Leave a Reply