|
On Tue, May 01, 2001 at 04:34:36PM +0000, Julian Anastasov wrote:
>
> > Yes. We can actually get ftp to work in NAT mode without using the
> > ip_masq_ftp module. The trick is to tell the real ftp servers to use
> > the VIP as the passive address for connections from outside; e.g. in
> > wu-ftpd, add the following lines to the /etc/ftpaccess:
> >
> > passive address RIP <localnet>
> > passive address 127.0.0.1 127.0.0.0/8
> > passive address VIP 0.0.0.0/0
> >
> >
> > Of course, the ftp virtual service has to be persistent port 0.
>
> But some guys will not like to open all ports :) And what happens
> in the case when two real servers announce same VPORT for the VIP?
Persistancy solves the problem.
> I assume the real server packets don't go through the director?
> Something like DR? I understand that such setup can work but I
> expect many problems: broken data connections. Or I'm
> misunderstanding something?
>
The "passive address" as specified in the real ftp server
configurations only appears in pakcet payload. The source addresses of
data connection packets are still internal and the director masq the
data packets in the usual way.
> So, the question remains open: is active ftp working for
> LVS-NAT without the in_ports option. By default, most of the browsers
> use the passive option and may be this problem is not observed. I tried
> it only once for a little FTP test and I think it is needed. But you
> guys will make your tests, I hope :)
>
I just tested it. It works without the io_ports options and the
ip_masq_ftp module itself.
>
> Regards
>
> --
> Julian Anastasov <ja@xxxxxx>
--
Wenzhuo
|
