|
Hello,
On Thu, 3 May 2001, Alois Treindl wrote:
>
> I have setup ftp on LV-NAT with kernel 2.2.19
>
> I found that I needed the command, as Julian suggested on May 1,
> modprobe ip_masq_ftp in_ports=21
>
> so that (passive mode) ftp from Netscape would work.
Yes, it seems this option is not useful for the active FTP
transfers because if the data connection is not created while the
client's PORT command is detected in the command stream then it is
created later when the internal real server creates normal in->out
connection to the client. So, it is not a fatal problem for active
FTP to avoid this option. The only problem is that these two connections
are independent and the command connection can die before the data
connection, for long transfers. With the in_ports option used this
can not happen.
The fatal problems come for the passive transfers
when the data connection from the client must hit the LVS service.
For this, the ip_masq_ftp module must detect the 227 response from
the real server in the in->out packets and to open a hole for the
client's data connection. And the "good" news is that this works only
with in_ports/in_mark options used.
> without the in_ports=21 it did not work.
>
> I am using proftpd as ftp server, which does not seem to have
> on option so that I could configure on the server that it
Bad ftpd :) It seems the follwing rules are valid:
- active ftp always works through stupid balancers (for external clients)
that have minimum support for masquerading, with some drops in the
command connection
- passive ftp always works through stupid masq boxes (for internal clients)
> gives the VIP to clients making a PASV request; it always gives
> the realserver IP address in replies to such requests.
>
>
>
> Alois
Regards
--
Julian Anastasov <ja@xxxxxx>
|
