RE: ftp active - passive problems

To:	"'lvs-users@xxxxxxxxxxxxxxxxxxxxxx'" <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>
Subject:	RE: ftp active - passive problems
From:	Jeremy Kusnetz <JKusnetz@xxxxxxxx>
Date:	Wed, 31 Jan 2001 16:59:23 -0500

I think we might be talking about different things.

There isn't a firewall infront of the director, the director is basically
opened up to the world.  It is in a sense acting as a firewall to the
realservers since you have to go through LVS to get to them.

The firewall I am referring to is a firewall that the client (my work
computer)is behind, this is where the problems are.

Using a client at home (no firewall, therefore it connects directly to the
director)I can download in both passive and active mode.  I don't have to
tell it to go to passive mode.  I do belive however that the server is in
active mode when I connect, but I am not sure.  How can I tell?  The only
way I knew it was in active mode is because the firewall at work blocks the
data port in active connections, put not passive mode connections.

Is this what you are asking?

-----Original Message-----
From: Joseph Mack [mailto:mack.joseph@xxxxxxx]
Sent: Wednesday, January 31, 2001 1:39 PM
To: lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Subject: Re: ftp active - passive problems


Jeremy Kusnetz wrote:
> 
> When the client is INSIDE the firewall I get the data port being blocked
by
> the firewall.

When I say "inside the firewall" I mean, that the client is inside the
region protected by the firewall and therefore can connect directly 
to the director.

What happens when the client directly connects to the director

Joe

  I have to set it to passive mode in order for the data port
> not be be blocked.
> 
> When the client is OUTSIDE the firewall the data port does NOT get blocked
> in either active or passive mode.
> 
> But like I said, if the ftpd server is not using LVS-NAT, the firewall
does
> NOT block the data port to the same client INSIDE the firewall, and I am
not
> having to set it to passive mode.  So I belive this is an active-passive
> problem.  ie, the firewall is blocking active mode connections, but lets
> passive get through.
> 
> -----Original Message-----
> From: Joseph Mack [mailto:mack.joseph@xxxxxxx]
> Sent: Tuesday, January 30, 2001 11:24 AM
> To: lvs-users@xxxxxxxxxxxxxxxxxxxxxx
> Subject: Re: ftp active - passive problems
> 
> Jeremy Kusnetz wrote:
> >
> > The symptoms:
> > When connecting to LVS ftpd servers from behind a firewall, you can not
do
> > listing, or file upload and download, ie. the data port is being
blocked.
> > One must explicitly set the server into passive mode after logging into
> the
> > ftpd server to be able to perform these functions.
> 
> what happens when you try to ftp from a client inside the firewall?
> (don't delete the rest of this posting in your reply)
> 
> Joe
> 
> > What I expect:
> > I expect the ftpd servers to start off in passive mode and allow
transfers
> > through the firewall.  This is how it happens when I am not using LVS.
> ie,
> > the ftpd server is on the VIP itself, not the realservers.
> >
> > Why it's bad:
> > This is bad because this is an extra step that most people don't have to
> do,
> > and many novice users won't know how to do.
> >
> > This is a problem with LVS because when going to the same version and
> > configuration of the ftpd server that are NOT going through LVS, you do
> not
> > have to set the server's to passive, it just works, even from behind the
> > firewall.
> >
> > There is SOMETHING that by going through LVS is causing this to happen.
> > There must be something that going through LVS-NAT is blocking from the
> ftpd
> > servers giving them enough information to go into passive mode which is
> what
> > I belive the RFC says ftpd is supposed to do.
> >
> > Here is the configuration that isn't working:
> >
> > client--firewall--director/VIP/LVS-NAT--realservers(ftpd)(10. network,
> > client can't see without LVS)
> >
> > Here is my setup:
> > ipvsadm -A -t 216.xxx.xxx.xxx:ftp -s lc -p 540
> > ipvsadm -a -t 216.xxx.xxx.xxx:ftp -r 10.xxx.xxx.1 -m
> > ipvsadm -a -t 216.xxx.xxx.xxx:ftp -r 10.xxx.xxx.2 -m
> >
> > I am using version 0.9.15 for kernel 2.2.16
> 
> --
> Joseph Mack PhD, Senior Systems Engineer, Lockheed Martin
> contractor to the National Environmental Supercomputer Center,
> mailto:mack.joseph@xxxxxxx ph# 919-541-0007, RTP, NC, USA
> 
> _______________________________________________
> LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
> Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
> or go to http://www.in-addr.de/mailman/listinfo/lvs-users

-- 
Joseph Mack PhD, Senior Systems Engineer, Lockheed Martin
contractor to the National Environmental Supercomputer Center, 
mailto:mack.joseph@xxxxxxx ph# 919-541-0007, RTP, NC, USA

<Prev in Thread]	Current Thread	[Next in Thread>
RE: ftp active - passive problems, Jeremy Kusnetz Re: ftp active - passive problems, Joseph Mack RE: ftp active - passive problems, Jeremy Kusnetz Re: ftp active - passive problems, Joseph Mack RE: ftp active - passive problems, Jeremy Kusnetz <= RE: ftp active - passive problems, Joseph Mack

Previous by Date:	Re: src_addr for outgoing NAT packets., Joseph Mack
Next by Date:	Re: src_addr for outgoing NAT packets., Julian Anastasov
Previous by Thread:	Re: ftp active - passive problems, Joseph Mack
Next by Thread:	RE: ftp active - passive problems, Joseph Mack
Indexes:	[Date] [Thread] [Top] [All Lists]