|
Hi Alois,
I'm really sorry I haven't replied earlier but I get no time anymore
to contribute to this project from my employer. I'm in progress of
setting up my testing and development environment at home, so I can
independantly work there but this will take some time.
Alois Treindl wrote:
>
> I think I got it, by thinking a bit more clearly and watching my
> ipchains filter with more logging enabled.
Joe, I send you an updated version of the SuSE ftp-proxy evaluation
where I either write it in a way everybody can use it or I just drop
to mention that fw-* rules which make only sense for terreActive
firewalls.
> For my setup of a not-loadbalanced ftp-proxy service on LVS-NAT,
> no entry in ipvsadm is needed.
> Everything is handled by ftp-proxy on the director.
So you have the policy DENY on the input chain?
> I report it to the list because others may have the same problem,
> to set up an ftp proxy on a LVS system.
>
> Configuration details:
>
> in ftp-proxy.conf the only lines uncommented are:
>
> DestinationAddress 10.1.1.1
> DestinationPort 21
> Listen 195.49.62.59
hmm, does this really work? If you redirect packets they won't
reach the proxy in 2.2.x kernel if the listener is not INADDR_ANY.
At least I couldn't get it working and if you follow the path
in the kernel it is not possible that this would work. But I need
to reread my comments I once made about this before stating this.
> PassiveMinDataPort 41000
> PassiveMaxDataPort 41999
My configuration is:
ServerType standalone
AllowTransProxy yes
ServerRoot /var/tmp
DestinationAddress 1.1.1.99
DestinationTransferMode passive
Listen 0.0.0.0
Port 43012
LogDestination daemon
PassiveMinDataPort 22048
PassiveMaxDataPort 23071
PidFile /var/run/ftpproxy.pid
TimeOut 300
ForkLimit 4096
WelcomeString 'FTP-Server ready'
> in my ipchains ruleset I have:
> # allow incoming ftp command connections on VIP
> -A input -j ACCEPT -i eth1 -p tcp -s ${ALL} $NPORTS -d ${VIP} 21 $L
> # data connections in active mode
> -A input -j ACCEPT -i eth1 -p tcp -s ${ALL} $NPORTS -d ${VIP} 20 $L
> # allow data connections in passive mode
> -A input -j ACCEPT -i eth1 -p tcp -s ${ALL} $NPORTS -d ${VIP}
> ${FTP_PORTS} $L
But then your policy is ACCEPT.
> where
> FTP_PORTS="41000:41999"
> NPORTS="1024:65535"
> ALL=0/0
> VIP=195.49.62.59
So this is the setup you're happy with?
> ---- setup -------------------
>
> |
> | eth1: real address $DEP, virtual address eth1:0 $VIP
> | DEP=195.49.62.58 VIP=195.49.62.59
> +---------------------+
> | LVS-NAT director | running kernel 2.2.19
> | ipchains firewall |
> | ftp-proxy |
> +---------------------+
Very nice :)
Have a nice day,
Roberto Nibali, ratz
--
mailto: `echo NrOatSz@xxxxxxxxx | sed 's/[NOSPAM]//g'`
|
