On Wed, 31 Jan 2001, Jeremy Kusnetz wrote:
> I think we might be talking about different things.
Here's what I've got.
The LVS works fine from one client (at home), but doesn't work
for another client (the one you're interested in), who has to go through
a firewall to get to the director.
> There isn't a firewall infront of the director, the director is basically
> opened up to the world. It is in a sense acting as a firewall to the
> realservers since you have to go through LVS to get to them.
>
> The firewall I am referring to is a firewall that the client (my work
> computer)is behind, this is where the problems are.
>
> Using a client at home (no firewall, therefore it connects directly to the
> director)I can download in both passive and active mode. I don't have to
> tell it to go to passive mode.
I didn' know you could tell it to do this. I presumed the ftpd could tell
whether it had an active or passive ftp client, but I didn't know.
I do belive however that the server is in
> active mode when I connect, but I am not sure. How can I tell?
I expect you could watch the real-server with tcpdump to see what ports it
is using for ftp.
> The only
> way I knew it was in active mode is because the firewall at work blocks the
> data port in active connections, put not passive mode connections.
is changing the firewall an option?
Is making the data available through http an option?
> I have to set it to passive mode in order for the data port
> > not be be blocked.
> >
> > When the client is OUTSIDE the firewall the data port does NOT get blocked
> > in either active or passive mode.
this doesn't make sense. I assume your "outside" and mine are
different.
> > But like I said, if the ftpd server is not using LVS-NAT, the firewall
> does
> > NOT block the data port to the same client INSIDE the firewall, and I am
> not
> > having to set it to passive mode.
can't parse this. It works fine for VS-DR?
So I belive this is an active-passive
> > problem. ie, the firewall is blocking active mode connections, but lets
> > passive get through.
> > >
> > > Here is my setup:
> > > ipvsadm -A -t 216.xxx.xxx.xxx:ftp -s lc -p 540
> > > ipvsadm -a -t 216.xxx.xxx.xxx:ftp -r 10.xxx.xxx.1 -m
> > > ipvsadm -a -t 216.xxx.xxx.xxx:ftp -r 10.xxx.xxx.2 -m
what are your ipchains rules onthe director to masquerade
the ftp and ftp-data ports from the real-servers?
Joe
--
Joseph Mack mack@xxxxxxxxxxx
|