LVS breaking ip_nat_ftp (??)

Antonio Forster aforster at gmail.com
Tue Nov 7 13:32:26 GMT 2006 

Hi Joe,

I believe I was not clear enough.. I dont want to FTP into the
cluster, but only from the real servers to other environments out of
the cluster. I supposed since that was only a outbound connection, LVS
would not interfere with it, but I can see I'm wrong. Are you comments
still valid in this situation?

Thanks, and best regards!

Antonio

On 11/7/06, Joseph Mack NA3T <jmack at wm7d.net> wrote:
> On Tue, 7 Nov 2006, Antonio Forster wrote:
>
>
> Julian,
>         Is this a problem you recognise?
>
> > Hello all,
>
> Hi Antonio,
>
>         Unfortunately ftp and LVS have had more than their
> share of problems.
>
> > The problem arrives when the outbound connection is FTP. For some
> > strange reason, it more than one instance on that N:1 NAT is active,
> > it breaks ip_nat_ftp and the PORT command in the ftp session goes with
> > the real IP address of the instance, while if only one instance in
> > that virtual server is active, ip_nat_ftp works fine. An example:
>
> the first LVS-NAT ftp helper broke the regular NAT ftp
> helper, then a later version was compatible. Maybe they're
> incompatible again.
>
> > Unfortunately we cannot use passive FTP due to security rules, so
> > active must be used. But we tested passive ftp sessions, and it works
> > ok though.
> >
> > For some reason, it seems that ip_nat_ftp's behavior is being changed
> > by the LVS code, but I couldnt find why.
>
> There are other problems with the LVS-NAT code at the moment
>
> http://www.austintek.com/LVS/LVS-HOWTO/HOWTO/LVS-HOWTO.LVS-NAT.html#lvs_nat_problems
>
> you can read about the LVS ftp helper here
>
> http://www.austintek.com/LVS/LVS-HOWTO/HOWTO/LVS-HOWTO.services.multi-port.html#ftp
>
> I expect you've found a bug. You're the first person in
> forever to want to ftp in both directions. I don't expect
> this bug is going to get much attention from anyone, I'm
> sorry. Can you scp/sftp out from the director using files
> nfs mounted from the realserver (terrible security problem I
> know)?
>
> Joe
>
> --
> Joseph Mack NA3T EME(B,D), FM05lw North Carolina
> jmack (at) wm7d (dot) net - azimuthal equidistant map
> generator at http://www.wm7d.net/azproj.shtml
> Homepage http://www.austintek.com/ It's GNU/Linux!
> _______________________________________________
> LinuxVirtualServer.org mailing list - lvs-users at LinuxVirtualServer.org
> Send requests to lvs-users-request at LinuxVirtualServer.org
> or go to http://www.in-addr.de/mailman/listinfo/lvs-users
>

Search lvs-users Archives
Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
More information about the lvs-users mailing list