When the client is INSIDE the firewall I get the data port being blocked by
the firewall. I have to set it to passive mode in order for the data port
not be be blocked.
When the client is OUTSIDE the firewall the data port does NOT get blocked
in either active or passive mode.
But like I said, if the ftpd server is not using LVS-NAT, the firewall does
NOT block the data port to the same client INSIDE the firewall, and I am not
having to set it to passive mode. So I belive this is an active-passive
problem. ie, the firewall is blocking active mode connections, but lets
passive get through.
-----Original Message-----
From: Joseph Mack [mailto:mack.joseph@xxxxxxx]
Sent: Tuesday, January 30, 2001 11:24 AM
To: lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Subject: Re: ftp active - passive problems
Jeremy Kusnetz wrote:
>
> The symptoms:
> When connecting to LVS ftpd servers from behind a firewall, you can not do
> listing, or file upload and download, ie. the data port is being blocked.
> One must explicitly set the server into passive mode after logging into
the
> ftpd server to be able to perform these functions.
what happens when you try to ftp from a client inside the firewall?
(don't delete the rest of this posting in your reply)
Joe
> What I expect:
> I expect the ftpd servers to start off in passive mode and allow transfers
> through the firewall. This is how it happens when I am not using LVS.
ie,
> the ftpd server is on the VIP itself, not the realservers.
>
> Why it's bad:
> This is bad because this is an extra step that most people don't have to
do,
> and many novice users won't know how to do.
>
> This is a problem with LVS because when going to the same version and
> configuration of the ftpd server that are NOT going through LVS, you do
not
> have to set the server's to passive, it just works, even from behind the
> firewall.
>
> There is SOMETHING that by going through LVS is causing this to happen.
> There must be something that going through LVS-NAT is blocking from the
ftpd
> servers giving them enough information to go into passive mode which is
what
> I belive the RFC says ftpd is supposed to do.
>
> Here is the configuration that isn't working:
>
> client--firewall--director/VIP/LVS-NAT--realservers(ftpd)(10. network,
> client can't see without LVS)
>
> Here is my setup:
> ipvsadm -A -t 216.xxx.xxx.xxx:ftp -s lc -p 540
> ipvsadm -a -t 216.xxx.xxx.xxx:ftp -r 10.xxx.xxx.1 -m
> ipvsadm -a -t 216.xxx.xxx.xxx:ftp -r 10.xxx.xxx.2 -m
>
> I am using version 0.9.15 for kernel 2.2.16
--
Joseph Mack PhD, Senior Systems Engineer, Lockheed Martin
contractor to the National Environmental Supercomputer Center,
mailto:mack.joseph@xxxxxxx ph# 919-541-0007, RTP, NC, USA
|