|
As for the security issue, we can setup tighter ipchain rules on the
director box, e.g. only allow connections to VIP:21,pasv-ports.
On Tue, May 01, 2001 at 04:34:36PM +0000, Julian Anastasov wrote:
>
> > ip_masq_ftp module. The trick is to tell the real ftp servers to use
> > the VIP as the passive address for connections from outside; e.g. in
> > wu-ftpd, add the following lines to the /etc/ftpaccess:
> >
> > passive address RIP <localnet>
> > passive address 127.0.0.1 127.0.0.0/8
> > passive address VIP 0.0.0.0/0
> >
> >
> > Of course, the ftp virtual service has to be persistent port 0.
>
> But some guys will not like to open all ports :) And what happens
> in the case when two real servers announce same VPORT for the VIP?
> I assume the real server packets don't go through the director?
> Something like DR? I understand that such setup can work but I
> expect many problems: broken data connections. Or I'm
> misunderstanding something?
>
> So, the question remains open: is active ftp working for
> LVS-NAT without the in_ports option. By default, most of the browsers
> use the passive option and may be this problem is not observed. I tried
> it only once for a little FTP test and I think it is needed. But you
> guys will make your tests, I hope :)
>
>
> Regards
>
> --
> Julian Anastasov <ja@xxxxxx>
--
Wenzhuo
|
