ratz at drugphish.ch
Tue Oct 8 00:40:47 BST 2002
Justin Georgeson wrote:
> I have a server application that is using an anonymous unpriviledged
> port. (don't ask) So in order to make it work behind a firewall, I
> currently have to start the server, do a netstat and edit the firewall.
:) Sounds like one of my first implementations for WAP back in 1998. Is
it TCP? I kind of assume it actually.
> If I can't figure it out from netstat, I have to run a packet sniffer
> outside the firewall to see what ports the client is trying to connect
Wouldn't it be easier to fix it?
> to. I believe the developers of the server are fixing it to use a fixed
> port, but they asked if my firewall supports port triggering. Port
> triggering is when use of one port triggers redirection of another port.
So that application needs a whole port range. Sounds like lousy backup
> I'm not sure how this would work, in this particular case, as the
> client connects on a well known port and, I believe, is told the
> anonymous port. I'm not so muched concerned for this particular server,
Ok, kinda like ftp. So you would need to load balance this well known
port and since you get the reply with the crucial information of the
port you need stickyness/persistency. Now, LVS cannot start load
balancing on newly negotiated ports unless you write the help module for
it, something like ip_vs_ftp.c.
Another possibility would be to use the port 0 service with persistency.
There it would work I guess, but I haven't tested it actually. From the
-t, --tcp-service service-address
Use TCP service. The service-address is of the form
host[:port]. Host may be one of a plain IP address
or a hostname. Port may be either a plain port num
ber or the service name of port. The Port may be
omitted, in which case zero will be used. A Port
of zero is only valid if the service is persistent
as the -p|--persistent option, in which case it is
a wild-card port, that is connections will be
accepted to any port.
Yes, so I would assume that it will work.
> since they're fixing it to use fixed ports (as a server should), but
> it's something that may come up in the future. What I am curious about
> is if a server behind an LVS NAT sends traffic on port x, can LVS
> dynamically see that and start forwarding ports y-z, which may include
> x, back to the original server.
LVS would not see that. But the client would try to connect to this new
port and this would mean that then the load balancer would recognize a
new port but the old client template and forward it to the same server
that sent the dynamic port information.
I say yes, it works but wait until others add their comment too. I might
just be too tired right now.
HTH and regards,
Roberto Nibali, ratz
More information about the lvs-users