RE: ftp active - passive problems

To:	"'lvs-users@xxxxxxxxxxxxxxxxxxxxxx'" <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>
Subject:	RE: ftp active - passive problems
From:	Jeremy Kusnetz <JKusnetz@xxxxxxxx>
Date:	Wed, 31 Jan 2001 11:01:00 -0500

The symptoms:
When connecting to LVS ftpd servers from behind a firewall, you can not do
listing, or file upload and download, ie. the data port is being blocked.
One must explicitly set the server into passive mode after logging into the
ftpd server to be able to perform these functions.

What I expect:
I expect the ftpd servers to start off in passive mode and allow transfers
through the firewall.  This is how it happens when I am not using LVS.  ie,
the ftpd server is on the VIP itself, not the realservers.

Why it's bad:
This is bad because this is an extra step that most people don't have to do,
and many novice users won't know how to do.

This is a problem with LVS because when going to the same version and
configuration of the ftpd server that are NOT going through LVS, you do not
have to set the server's to passive, it just works, even from behind the
firewall.

There is SOMETHING that by going through LVS is causing this to happen.
There must be something that going through LVS-NAT is blocking from the ftpd
servers giving them enough information to go into passive mode which is what
I belive the RFC says ftpd is supposed to do.

Here is the configuration that isn't working:

client--firewall--director/VIP/LVS-NAT--realservers(ftpd)(10. network,
client can't see without LVS)

Here is my setup:
ipvsadm -A -t 216.xxx.xxx.xxx:ftp -s lc -p 540
ipvsadm -a -t 216.xxx.xxx.xxx:ftp -r 10.xxx.xxx.1 -m
ipvsadm -a -t 216.xxx.xxx.xxx:ftp -r 10.xxx.xxx.2 -m

I am using version 0.9.15 for kernel 2.2.16

-----Original Message-----
From: Joseph Mack [mailto:mack.joseph@xxxxxxx]
Sent: Tuesday, January 30, 2001 11:24 AM
To: lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Subject: Re: ftp active - passive problems

Jeremy Kusnetz wrote:

> 
> The problem is running ftpd on the realserver and connecting to it from
the
> client who is behind a firewall.

so connecting from a client inside the fw works OK?

I really don't understand the problem. Can you tell me

what you saw 
(if relevant, what you did to set it up)
what you expected
why this is a problem

Thanks Joe

-- 
Joseph Mack PhD, Senior Systems Engineer, Lockheed Martin
contractor to the National Environmental Supercomputer Center, 
mailto:mack.joseph@xxxxxxx ph# 919-541-0007, RTP, NC, USA

<Prev in Thread]	Current Thread	[Next in Thread>
RE: ftp active - passive problems, Jeremy Kusnetz <= Re: ftp active - passive problems, Joseph Mack RE: ftp active - passive problems, Jeremy Kusnetz Re: ftp active - passive problems, Joseph Mack RE: ftp active - passive problems, Jeremy Kusnetz RE: ftp active - passive problems, Joseph Mack

Next by Date:	Re: ftp active - passive problems, Joseph Mack
Next by Thread:	Re: ftp active - passive problems, Joseph Mack
Indexes:	[Date] [Thread] [Top] [All Lists]