LVS
lvs-users
Google
 
Web LinuxVirtualServer.org

RE: How to NAT The FTP-DATA Connection?

To: "LinuxVirtualServer.org users mailing list." <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>
Subject: RE: How to NAT The FTP-DATA Connection?
From: "Robinson, Eric" <eric.robinson@xxxxxxxxxx>
Date: Fri, 22 Dec 2006 16:34:35 -0800
>so how have clients been getting back their ftp-data packets till now?

I configure the tunnel to allow FTP-DATA connections from the RIPs of
the FTP servers to the client's network. The clients establish the
control connections to the VIP of the load-balancer, but the data
connections come from the RealServers. It's kludgy, complicated, and
less secure (those three things often go together, don't they?), but at
least it works. I really don't want to leave it that way.

> do you have the port=20 option (forget syntax) when loading your ftp
helper?

I'll check, but does it matter with active FTP? The HOWTO implies it
doesn't.

> you have no iptables rules on the director/realservers?

No, the firewalls are separate appliances. No packet filtering on the
load-balancers.

> does passive ftp work, even if not an option for deployment?

I don't recall. I suspect it does, but I'll test it again and see.

> on the realservers, do you see the ftpd attempt to open the ftp-data
connection?

Right now I see it attempt and succeed because the tunnel allows it. If
I turn off the rules allowing outbound access from the RIPs through the
tunnel, I will see it try and fail.

> if so, do you see the ftp-data connection in the output of ipvsadm
with the options which show the connections (don't have ipsvadm with me
here).

Good question... will check.

> if so, do you see the ftp-data packets on the director with tcpdump.

Will check.


Disclaimer - December 22, 2006 
This email and any files transmitted with it are confidential and intended 
solely for LinuxVirtualServer.org users mailing list.. If you are not the named 
addressee you should not disseminate, distribute, copy or alter this email. Any 
views or opinions presented in this email are solely those of the author and 
might not represent those of Physician Select Management (PSM) or Physician's 
Managed Care (PMC). Warning: Although the message sender has taken reasonable 
precautions to ensure no viruses are present in this email, neither PSM nor PMC 
can accept responsibility for any loss or damage arising from the use of this 
email or attachments.

<Prev in Thread] Current Thread [Next in Thread>