LVS
lvs-users
Google
 
Web LinuxVirtualServer.org

Re: ftp active - passive problems

To: lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Subject: Re: ftp active - passive problems
From: Joseph Mack <mack.joseph@xxxxxxx>
Date: Wed, 31 Jan 2001 12:28:29 -0500
Jeremy Kusnetz wrote:
> 
> The symptoms:
> When connecting to LVS ftpd servers from behind a firewall, you can not do
> listing, or file upload and download, ie. the data port is being blocked.
> One must explicitly set the server into passive mode after logging into the
> ftpd server to be able to perform these functions.

what happens when you try to ftp from a client inside the firewall?
(don't delete the rest of this posting in your reply)

Joe

> What I expect:
> I expect the ftpd servers to start off in passive mode and allow transfers
> through the firewall.  This is how it happens when I am not using LVS.  ie,
> the ftpd server is on the VIP itself, not the realservers.
> 
> Why it's bad:
> This is bad because this is an extra step that most people don't have to do,
> and many novice users won't know how to do.
> 
> This is a problem with LVS because when going to the same version and
> configuration of the ftpd server that are NOT going through LVS, you do not
> have to set the server's to passive, it just works, even from behind the
> firewall.
> 
> There is SOMETHING that by going through LVS is causing this to happen.
> There must be something that going through LVS-NAT is blocking from the ftpd
> servers giving them enough information to go into passive mode which is what
> I belive the RFC says ftpd is supposed to do.
> 
> Here is the configuration that isn't working:
> 
> client--firewall--director/VIP/LVS-NAT--realservers(ftpd)(10. network,
> client can't see without LVS)
> 
> Here is my setup:
> ipvsadm -A -t 216.xxx.xxx.xxx:ftp -s lc -p 540
> ipvsadm -a -t 216.xxx.xxx.xxx:ftp -r 10.xxx.xxx.1 -m
> ipvsadm -a -t 216.xxx.xxx.xxx:ftp -r 10.xxx.xxx.2 -m
> 
> I am using version 0.9.15 for kernel 2.2.16


-- 
Joseph Mack PhD, Senior Systems Engineer, Lockheed Martin
contractor to the National Environmental Supercomputer Center, 
mailto:mack.joseph@xxxxxxx ph# 919-541-0007, RTP, NC, USA


<Prev in Thread] Current Thread [Next in Thread>