|
Jeremy Kusnetz wrote:
>
> When the client is INSIDE the firewall I get the data port being blocked by
> the firewall.
When I say "inside the firewall" I mean, that the client is inside the
region protected by the firewall and therefore can connect directly
to the director.
What happens when the client directly connects to the director
Joe
I have to set it to passive mode in order for the data port
> not be be blocked.
>
> When the client is OUTSIDE the firewall the data port does NOT get blocked
> in either active or passive mode.
>
> But like I said, if the ftpd server is not using LVS-NAT, the firewall does
> NOT block the data port to the same client INSIDE the firewall, and I am not
> having to set it to passive mode. So I belive this is an active-passive
> problem. ie, the firewall is blocking active mode connections, but lets
> passive get through.
>
> -----Original Message-----
> From: Joseph Mack [mailto:mack.joseph@xxxxxxx]
> Sent: Tuesday, January 30, 2001 11:24 AM
> To: lvs-users@xxxxxxxxxxxxxxxxxxxxxx
> Subject: Re: ftp active - passive problems
>
> Jeremy Kusnetz wrote:
> >
> > The symptoms:
> > When connecting to LVS ftpd servers from behind a firewall, you can not do
> > listing, or file upload and download, ie. the data port is being blocked.
> > One must explicitly set the server into passive mode after logging into
> the
> > ftpd server to be able to perform these functions.
>
> what happens when you try to ftp from a client inside the firewall?
> (don't delete the rest of this posting in your reply)
>
> Joe
>
> > What I expect:
> > I expect the ftpd servers to start off in passive mode and allow transfers
> > through the firewall. This is how it happens when I am not using LVS.
> ie,
> > the ftpd server is on the VIP itself, not the realservers.
> >
> > Why it's bad:
> > This is bad because this is an extra step that most people don't have to
> do,
> > and many novice users won't know how to do.
> >
> > This is a problem with LVS because when going to the same version and
> > configuration of the ftpd server that are NOT going through LVS, you do
> not
> > have to set the server's to passive, it just works, even from behind the
> > firewall.
> >
> > There is SOMETHING that by going through LVS is causing this to happen.
> > There must be something that going through LVS-NAT is blocking from the
> ftpd
> > servers giving them enough information to go into passive mode which is
> what
> > I belive the RFC says ftpd is supposed to do.
> >
> > Here is the configuration that isn't working:
> >
> > client--firewall--director/VIP/LVS-NAT--realservers(ftpd)(10. network,
> > client can't see without LVS)
> >
> > Here is my setup:
> > ipvsadm -A -t 216.xxx.xxx.xxx:ftp -s lc -p 540
> > ipvsadm -a -t 216.xxx.xxx.xxx:ftp -r 10.xxx.xxx.1 -m
> > ipvsadm -a -t 216.xxx.xxx.xxx:ftp -r 10.xxx.xxx.2 -m
> >
> > I am using version 0.9.15 for kernel 2.2.16
>
> --
> Joseph Mack PhD, Senior Systems Engineer, Lockheed Martin
> contractor to the National Environmental Supercomputer Center,
> mailto:mack.joseph@xxxxxxx ph# 919-541-0007, RTP, NC, USA
>
> _______________________________________________
> LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
> Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
> or go to http://www.in-addr.de/mailman/listinfo/lvs-users
--
Joseph Mack PhD, Senior Systems Engineer, Lockheed Martin
contractor to the National Environmental Supercomputer Center,
mailto:mack.joseph@xxxxxxx ph# 919-541-0007, RTP, NC, USA
|
