LVS
lvs-users
Google
 
Web LinuxVirtualServer.org

Re: LVS-NAT Active FTP issue...

To: "LinuxVirtualServer.org users mailing list." <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>
Subject: Re: LVS-NAT Active FTP issue...
From: Roberto Nibali <ratz@xxxxxxxxxxxx>
Date: Sun, 27 Nov 2005 19:52:06 +0100
> I'd never heard of it, but he sounds like he knows the difference
> between the server calling from port=20 (or !=20 as is his case) and the
> server waiting for a call from the client to some other port.

I've read the vsftp config stuff a bit, and his setting means:

connect_from_port_20
    This controls whether PORT style data connections use port 20
(ftp-data) on the server machine. For security reasons, some clients may
insist that this is the case. Conversely, disabling this option enables
vsftpd to run with slightly less privilege.

The server however should indicate that the data-port is not 20 in some way.

>> Is there an indication in RFC959 which states that this "behaviour" is
>> legal as well for active FTP?
> 
> no-one requires code to obey standards to sell it ;-(

Well, vsftp is GPL and written by someone I happen to know even :). But
it must be RFC conformant or else clients would not be able to properly
interact with the server.

I wonder if there is a special string returned be either one of the
which indicates that behaviour. If so, we could easily extend the ftp
part of IPVS.

>> On top of that, does netfilter cope with this or do you need a RELATED
>> rule?
> 
> this is one of the points of discussion.

I've read his initial post and so it seems that RELATED is sufficient
regarding netfilter. Of course we cannot implement the RELATED code in
IPVS, well we could, however it'll be quite an overkill.

Mark, what about following setup:

connect_from_port_20 = NO
ftp_data_port = >1024

Or

pasv_enable = YES

Would that be good enough for you? We still need to address IPVS but at
least it'll be somewhat static (in_ports could be used). It remains to
be said that there is likely to be an issue when dealing with some
commercial firewalls, if you're using ftp-data not on port 20 with
active FTP.

A "hacky" solution to your problem of course would be to fwmark
ip_local_port_range and 21 and create one persistent service for that.
This will work instantly, without the need to fix some code. Use the sed
 or wlc scheduler to minimize load imbalance in that case.

Best regards,
Roberto Nibali, ratz
-- 
echo
'[q]sa[ln0=aln256%Pln256/snlbx]sb3135071790101768542287578439snlbxq' | dc

<Prev in Thread] Current Thread [Next in Thread>