port trigger

Roberto Nibali ratz at drugphish.ch
Tue Oct 8 00:40:47 BST 2002 

Hi,

Justin Georgeson wrote:
> I have a server application that is using an anonymous unpriviledged 
> port. (don't ask) So in order to make it work behind a firewall, I 
> currently have to start the server, do a netstat and edit the firewall. 

:) Sounds like one of my first implementations for WAP back in 1998. Is 
it TCP? I kind of assume it actually.

> If I can't figure it out from netstat, I have to run a packet sniffer 
> outside the firewall to see what ports the client is trying to connect 

Wouldn't it be easier to fix it?

> to. I believe the developers of the server are fixing it to use a fixed 
> port, but they asked if my firewall supports port triggering. Port

Ah, ok.

> triggering is when use of one port triggers redirection of another port. 

So that application needs a whole port range. Sounds like lousy backup 
software :).

> I'm not sure how this would work, in this particular case, as the 
> client connects on a well known port and, I believe, is told the 
> anonymous port. I'm not so muched concerned for this particular server, 

Ok, kinda like ftp. So you would need to load balance this well known 
port and since you get the reply with the crucial information of the 
port you need stickyness/persistency. Now, LVS cannot start load 
balancing on newly negotiated ports unless you write the help module for 
it, something like ip_vs_ftp.c.

Another possibility would be to use the port 0 service with persistency. 
There it would work I guess, but I haven't tested it actually. From the 
man page:


        -t, --tcp-service service-address
               Use TCP service. The service-address is of the form
               host[:port].  Host may be one of a plain IP address
               or a hostname. Port may be either a plain port num­
               ber or the service name of port. The  Port  may  be
               omitted,  in  which  case zero will be used. A Port
               of zero is only valid if the service is  persistent
               as  the -p|--persistent option, in which case it is
               a wild-card  port,  that  is  connections  will  be
               accepted to any port.


Yes, so I would assume that it will work.

> since they're fixing it to use fixed ports (as a server should), but 
> it's something that may come up in the future. What I am curious about 
> is if a server behind an LVS NAT sends traffic on port x, can LVS 
> dynamically see that and start forwarding ports y-z, which may include 
> x, back to the original server.

LVS would not see that. But the client would try to connect to this new 
port and this would mean that then the load balancer would recognize a 
new port but the old client template and forward it to the same server 
that sent the dynamic port information.

I say yes, it works but wait until others add their comment too. I might 
just be too tired right now.

HTH and regards,
Roberto Nibali, ratz
-- 
echo '[q]sa[ln0=aln256%Pln256/snlbx]sb3135071790101768542287578439snlbxq'|dc

More information about the lvs-users mailing list