Mailing List Archive

Jeremy Kusnetz wrote:
>
> I am having problems with my ftp server with lvs-nat.

do you have the ip_masq_ftp.o module compiled/loaded?

> It seems when connecting to them (I THINK) they are starting up in active
> mode, instead of passive mode.
>
> Here are the symptoms, I can connect to the server

is that the director==LVS==VIP or to the real-server?

Joe

--
Joseph Mack PhD, Senior Systems Engineer, Lockheed Martin
contractor to the National Environmental Supercomputer Center,
mailto:mack.joseph@epa.gov ph# 919-541-0007, RTP, NC, USA

I wasn't running the ip_masq_ftp module, but after loading it, it doesn't
seem to help
my problem, although now I can ftp out from my realservers.

The problem is running ftpd on the realserver and connecting to it from the
client who is behind a firewall. To verify it wasn't the firewall causing
all the problems, I tried running the ftpd right on the director box (on the
VIP), short circuting the realservers and LVS, and that worked the way it
should.

-----Original Message-----
From: Joseph Mack [mailto:mack.joseph@epa.gov]
Sent: Monday, January 29, 2001 4:42 PM
To: lvs-users@LinuxVirtualServer.org
Subject: Re: ftp active - passive problems


Jeremy Kusnetz wrote:
>
> I am having problems with my ftp server with lvs-nat.

do you have the ip_masq_ftp.o module compiled/loaded?

> It seems when connecting to them (I THINK) they are starting up in active
> mode, instead of passive mode.
>
> Here are the symptoms, I can connect to the server

is that the director==LVS==VIP or to the real-server?

Joe

--
Joseph Mack PhD, Senior Systems Engineer, Lockheed Martin
contractor to the National Environmental Supercomputer Center,
mailto:mack.joseph@epa.gov ph# 919-541-0007, RTP, NC, USA

Jeremy Kusnetz wrote:

>
> The problem is running ftpd on the realserver and connecting to it from the
> client who is behind a firewall.

so connecting from a client inside the fw works OK?

I really don't understand the problem. Can you tell me

what you saw
(if relevant, what you did to set it up)
what you expected
why this is a problem

Thanks Joe


--
Joseph Mack PhD, Senior Systems Engineer, Lockheed Martin
contractor to the National Environmental Supercomputer Center,
mailto:mack.joseph@epa.gov ph# 919-541-0007, RTP, NC, USA

Jeremy Kusnetz wrote:
>
> I wasn't running the ip_masq_ftp module, but after loading it, it doesn't
> seem to help

yes despite what the ipvsadm man page says, I get ftp to work with VS-NAT
with and without ip_masq_adm

Joe

--
Joseph Mack PhD, Senior Systems Engineer, Lockheed Martin
contractor to the National Environmental Supercomputer Center,
mailto:mack.joseph@epa.gov ph# 919-541-0007, RTP, NC, USA

The symptoms:
When connecting to LVS ftpd servers from behind a firewall, you can not do
listing, or file upload and download, ie. the data port is being blocked.
One must explicitly set the server into passive mode after logging into the
ftpd server to be able to perform these functions.

What I expect:
I expect the ftpd servers to start off in passive mode and allow transfers
through the firewall. This is how it happens when I am not using LVS. ie,
the ftpd server is on the VIP itself, not the realservers.

Why it's bad:
This is bad because this is an extra step that most people don't have to do,
and many novice users won't know how to do.

This is a problem with LVS because when going to the same version and
configuration of the ftpd server that are NOT going through LVS, you do not
have to set the server's to passive, it just works, even from behind the
firewall.

There is SOMETHING that by going through LVS is causing this to happen.
There must be something that going through LVS-NAT is blocking from the ftpd
servers giving them enough information to go into passive mode which is what
I belive the RFC says ftpd is supposed to do.

Here is the configuration that isn't working:

client--firewall--director/VIP/LVS-NAT--realservers(ftpd)(10. network,
client can't see without LVS)

Here is my setup:
ipvsadm -A -t 216.xxx.xxx.xxx:ftp -s lc -p 540
ipvsadm -a -t 216.xxx.xxx.xxx:ftp -r 10.xxx.xxx.1 -m
ipvsadm -a -t 216.xxx.xxx.xxx:ftp -r 10.xxx.xxx.2 -m

I am using version 0.9.15 for kernel 2.2.16

-----Original Message-----
From: Joseph Mack [mailto:mack.joseph@epa.gov]
Sent: Tuesday, January 30, 2001 11:24 AM
To: lvs-users@LinuxVirtualServer.org
Subject: Re: ftp active - passive problems


Jeremy Kusnetz wrote:

>
> The problem is running ftpd on the realserver and connecting to it from
the
> client who is behind a firewall.

so connecting from a client inside the fw works OK?

I really don't understand the problem. Can you tell me

what you saw
(if relevant, what you did to set it up)
what you expected
why this is a problem

Thanks Joe


--
Joseph Mack PhD, Senior Systems Engineer, Lockheed Martin
contractor to the National Environmental Supercomputer Center,
mailto:mack.joseph@epa.gov ph# 919-541-0007, RTP, NC, USA

Jeremy Kusnetz wrote:
>
> The symptoms:
> When connecting to LVS ftpd servers from behind a firewall, you can not do
> listing, or file upload and download, ie. the data port is being blocked.
> One must explicitly set the server into passive mode after logging into the
> ftpd server to be able to perform these functions.

what happens when you try to ftp from a client inside the firewall?
(don't delete the rest of this posting in your reply)

Joe

> What I expect:
> I expect the ftpd servers to start off in passive mode and allow transfers
> through the firewall. This is how it happens when I am not using LVS. ie,
> the ftpd server is on the VIP itself, not the realservers.
>
> Why it's bad:
> This is bad because this is an extra step that most people don't have to do,
> and many novice users won't know how to do.
>
> This is a problem with LVS because when going to the same version and
> configuration of the ftpd server that are NOT going through LVS, you do not
> have to set the server's to passive, it just works, even from behind the
> firewall.
>
> There is SOMETHING that by going through LVS is causing this to happen.
> There must be something that going through LVS-NAT is blocking from the ftpd
> servers giving them enough information to go into passive mode which is what
> I belive the RFC says ftpd is supposed to do.
>
> Here is the configuration that isn't working:
>
> client--firewall--director/VIP/LVS-NAT--realservers(ftpd)(10. network,
> client can't see without LVS)
>
> Here is my setup:
> ipvsadm -A -t 216.xxx.xxx.xxx:ftp -s lc -p 540
> ipvsadm -a -t 216.xxx.xxx.xxx:ftp -r 10.xxx.xxx.1 -m
> ipvsadm -a -t 216.xxx.xxx.xxx:ftp -r 10.xxx.xxx.2 -m
>
> I am using version 0.9.15 for kernel 2.2.16


--
Joseph Mack PhD, Senior Systems Engineer, Lockheed Martin
contractor to the National Environmental Supercomputer Center,
mailto:mack.joseph@epa.gov ph# 919-541-0007, RTP, NC, USA

When the client is INSIDE the firewall I get the data port being blocked by
the firewall. I have to set it to passive mode in order for the data port
not be be blocked.

When the client is OUTSIDE the firewall the data port does NOT get blocked
in either active or passive mode.

But like I said, if the ftpd server is not using LVS-NAT, the firewall does
NOT block the data port to the same client INSIDE the firewall, and I am not
having to set it to passive mode. So I belive this is an active-passive
problem. ie, the firewall is blocking active mode connections, but lets
passive get through.

-----Original Message-----
From: Joseph Mack [mailto:mack.joseph@epa.gov]
Sent: Tuesday, January 30, 2001 11:24 AM
To: lvs-users@LinuxVirtualServer.org
Subject: Re: ftp active - passive problems


Jeremy Kusnetz wrote:
>
> The symptoms:
> When connecting to LVS ftpd servers from behind a firewall, you can not do
> listing, or file upload and download, ie. the data port is being blocked.
> One must explicitly set the server into passive mode after logging into
the
> ftpd server to be able to perform these functions.

what happens when you try to ftp from a client inside the firewall?
(don't delete the rest of this posting in your reply)

Joe

> What I expect:
> I expect the ftpd servers to start off in passive mode and allow transfers
> through the firewall. This is how it happens when I am not using LVS.
ie,
> the ftpd server is on the VIP itself, not the realservers.
>
> Why it's bad:
> This is bad because this is an extra step that most people don't have to
do,
> and many novice users won't know how to do.
>
> This is a problem with LVS because when going to the same version and
> configuration of the ftpd server that are NOT going through LVS, you do
not
> have to set the server's to passive, it just works, even from behind the
> firewall.
>
> There is SOMETHING that by going through LVS is causing this to happen.
> There must be something that going through LVS-NAT is blocking from the
ftpd
> servers giving them enough information to go into passive mode which is
what
> I belive the RFC says ftpd is supposed to do.
>
> Here is the configuration that isn't working:
>
> client--firewall--director/VIP/LVS-NAT--realservers(ftpd)(10. network,
> client can't see without LVS)
>
> Here is my setup:
> ipvsadm -A -t 216.xxx.xxx.xxx:ftp -s lc -p 540
> ipvsadm -a -t 216.xxx.xxx.xxx:ftp -r 10.xxx.xxx.1 -m
> ipvsadm -a -t 216.xxx.xxx.xxx:ftp -r 10.xxx.xxx.2 -m
>
> I am using version 0.9.15 for kernel 2.2.16


--
Joseph Mack PhD, Senior Systems Engineer, Lockheed Martin
contractor to the National Environmental Supercomputer Center,
mailto:mack.joseph@epa.gov ph# 919-541-0007, RTP, NC, USA

Jeremy Kusnetz wrote:
>
> When the client is INSIDE the firewall I get the data port being blocked by
> the firewall.

When I say "inside the firewall" I mean, that the client is inside the
region protected by the firewall and therefore can connect directly
to the director.

What happens when the client directly connects to the director

Joe

I have to set it to passive mode in order for the data port
> not be be blocked.
>
> When the client is OUTSIDE the firewall the data port does NOT get blocked
> in either active or passive mode.
>
> But like I said, if the ftpd server is not using LVS-NAT, the firewall does
> NOT block the data port to the same client INSIDE the firewall, and I am not
> having to set it to passive mode. So I belive this is an active-passive
> problem. ie, the firewall is blocking active mode connections, but lets
> passive get through.
>
> -----Original Message-----
> From: Joseph Mack [mailto:mack.joseph@epa.gov]
> Sent: Tuesday, January 30, 2001 11:24 AM
> To: lvs-users@LinuxVirtualServer.org
> Subject: Re: ftp active - passive problems
>
> Jeremy Kusnetz wrote:
> >
> > The symptoms:
> > When connecting to LVS ftpd servers from behind a firewall, you can not do
> > listing, or file upload and download, ie. the data port is being blocked.
> > One must explicitly set the server into passive mode after logging into
> the
> > ftpd server to be able to perform these functions.
>
> what happens when you try to ftp from a client inside the firewall?
> (don't delete the rest of this posting in your reply)
>
> Joe
>
> > What I expect:
> > I expect the ftpd servers to start off in passive mode and allow transfers
> > through the firewall. This is how it happens when I am not using LVS.
> ie,
> > the ftpd server is on the VIP itself, not the realservers.
> >
> > Why it's bad:
> > This is bad because this is an extra step that most people don't have to
> do,
> > and many novice users won't know how to do.
> >
> > This is a problem with LVS because when going to the same version and
> > configuration of the ftpd server that are NOT going through LVS, you do
> not
> > have to set the server's to passive, it just works, even from behind the
> > firewall.
> >
> > There is SOMETHING that by going through LVS is causing this to happen.
> > There must be something that going through LVS-NAT is blocking from the
> ftpd
> > servers giving them enough information to go into passive mode which is
> what
> > I belive the RFC says ftpd is supposed to do.
> >
> > Here is the configuration that isn't working:
> >
> > client--firewall--director/VIP/LVS-NAT--realservers(ftpd)(10. network,
> > client can't see without LVS)
> >
> > Here is my setup:
> > ipvsadm -A -t 216.xxx.xxx.xxx:ftp -s lc -p 540
> > ipvsadm -a -t 216.xxx.xxx.xxx:ftp -r 10.xxx.xxx.1 -m
> > ipvsadm -a -t 216.xxx.xxx.xxx:ftp -r 10.xxx.xxx.2 -m
> >
> > I am using version 0.9.15 for kernel 2.2.16
>
> --
> Joseph Mack PhD, Senior Systems Engineer, Lockheed Martin
> contractor to the National Environmental Supercomputer Center,
> mailto:mack.joseph@epa.gov ph# 919-541-0007, RTP, NC, USA
>
> _______________________________________________
> LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org
> Send requests to lvs-users-request@LinuxVirtualServer.org
> or go to http://www.in-addr.de/mailman/listinfo/lvs-users

--
Joseph Mack PhD, Senior Systems Engineer, Lockheed Martin
contractor to the National Environmental Supercomputer Center,
mailto:mack.joseph@epa.gov ph# 919-541-0007, RTP, NC, USA

I think we might be talking about different things.

There isn't a firewall infront of the director, the director is basically
opened up to the world. It is in a sense acting as a firewall to the
realservers since you have to go through LVS to get to them.

The firewall I am referring to is a firewall that the client (my work
computer)is behind, this is where the problems are.

Using a client at home (no firewall, therefore it connects directly to the
director)I can download in both passive and active mode. I don't have to
tell it to go to passive mode. I do belive however that the server is in
active mode when I connect, but I am not sure. How can I tell? The only
way I knew it was in active mode is because the firewall at work blocks the
data port in active connections, put not passive mode connections.

Is this what you are asking?

-----Original Message-----
From: Joseph Mack [mailto:mack.joseph@epa.gov]
Sent: Wednesday, January 31, 2001 1:39 PM
To: lvs-users@LinuxVirtualServer.org
Subject: Re: ftp active - passive problems


Jeremy Kusnetz wrote:
>
> When the client is INSIDE the firewall I get the data port being blocked
by
> the firewall.

When I say "inside the firewall" I mean, that the client is inside the
region protected by the firewall and therefore can connect directly
to the director.

What happens when the client directly connects to the director

Joe

I have to set it to passive mode in order for the data port
> not be be blocked.
>
> When the client is OUTSIDE the firewall the data port does NOT get blocked
> in either active or passive mode.
>
> But like I said, if the ftpd server is not using LVS-NAT, the firewall
does
> NOT block the data port to the same client INSIDE the firewall, and I am
not
> having to set it to passive mode. So I belive this is an active-passive
> problem. ie, the firewall is blocking active mode connections, but lets
> passive get through.
>
> -----Original Message-----
> From: Joseph Mack [mailto:mack.joseph@epa.gov]
> Sent: Tuesday, January 30, 2001 11:24 AM
> To: lvs-users@LinuxVirtualServer.org
> Subject: Re: ftp active - passive problems
>
> Jeremy Kusnetz wrote:
> >
> > The symptoms:
> > When connecting to LVS ftpd servers from behind a firewall, you can not
do
> > listing, or file upload and download, ie. the data port is being
blocked.
> > One must explicitly set the server into passive mode after logging into
> the
> > ftpd server to be able to perform these functions.
>
> what happens when you try to ftp from a client inside the firewall?
> (don't delete the rest of this posting in your reply)
>
> Joe
>
> > What I expect:
> > I expect the ftpd servers to start off in passive mode and allow
transfers
> > through the firewall. This is how it happens when I am not using LVS.
> ie,
> > the ftpd server is on the VIP itself, not the realservers.
> >
> > Why it's bad:
> > This is bad because this is an extra step that most people don't have to
> do,
> > and many novice users won't know how to do.
> >
> > This is a problem with LVS because when going to the same version and
> > configuration of the ftpd server that are NOT going through LVS, you do
> not
> > have to set the server's to passive, it just works, even from behind the
> > firewall.
> >
> > There is SOMETHING that by going through LVS is causing this to happen.
> > There must be something that going through LVS-NAT is blocking from the
> ftpd
> > servers giving them enough information to go into passive mode which is
> what
> > I belive the RFC says ftpd is supposed to do.
> >
> > Here is the configuration that isn't working:
> >
> > client--firewall--director/VIP/LVS-NAT--realservers(ftpd)(10. network,
> > client can't see without LVS)
> >
> > Here is my setup:
> > ipvsadm -A -t 216.xxx.xxx.xxx:ftp -s lc -p 540
> > ipvsadm -a -t 216.xxx.xxx.xxx:ftp -r 10.xxx.xxx.1 -m
> > ipvsadm -a -t 216.xxx.xxx.xxx:ftp -r 10.xxx.xxx.2 -m
> >
> > I am using version 0.9.15 for kernel 2.2.16
>
> --
> Joseph Mack PhD, Senior Systems Engineer, Lockheed Martin
> contractor to the National Environmental Supercomputer Center,
> mailto:mack.joseph@epa.gov ph# 919-541-0007, RTP, NC, USA
>
> _______________________________________________
> LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org
> Send requests to lvs-users-request@LinuxVirtualServer.org
> or go to http://www.in-addr.de/mailman/listinfo/lvs-users

--
Joseph Mack PhD, Senior Systems Engineer, Lockheed Martin
contractor to the National Environmental Supercomputer Center,
mailto:mack.joseph@epa.gov ph# 919-541-0007, RTP, NC, USA

On Wed, 31 Jan 2001, Jeremy Kusnetz wrote:

> I think we might be talking about different things.

Here's what I've got.

The LVS works fine from one client (at home), but doesn't work
for another client (the one you're interested in), who has to go through
a firewall to get to the director.


> There isn't a firewall infront of the director, the director is basically
> opened up to the world. It is in a sense acting as a firewall to the
> realservers since you have to go through LVS to get to them.
>
> The firewall I am referring to is a firewall that the client (my work
> computer)is behind, this is where the problems are.
>
> Using a client at home (no firewall, therefore it connects directly to the
> director)I can download in both passive and active mode. I don't have to
> tell it to go to passive mode.

I didn' know you could tell it to do this. I presumed the ftpd could tell
whether it had an active or passive ftp client, but I didn't know.

I do belive however that the server is in
> active mode when I connect, but I am not sure. How can I tell?

I expect you could watch the real-server with tcpdump to see what ports it
is using for ftp.

> The only
> way I knew it was in active mode is because the firewall at work blocks the
> data port in active connections, put not passive mode connections.

is changing the firewall an option?
Is making the data available through http an option?

> I have to set it to passive mode in order for the data port
> > not be be blocked.
> >
> > When the client is OUTSIDE the firewall the data port does NOT get blocked
> > in either active or passive mode.

this doesn't make sense. I assume your "outside" and mine are
different.

> > But like I said, if the ftpd server is not using LVS-NAT, the firewall
> does
> > NOT block the data port to the same client INSIDE the firewall, and I am
> not
> > having to set it to passive mode.

can't parse this. It works fine for VS-DR?

So I belive this is an active-passive
> > problem. ie, the firewall is blocking active mode connections, but lets
> > passive get through.

> > >
> > > Here is my setup:
> > > ipvsadm -A -t 216.xxx.xxx.xxx:ftp -s lc -p 540
> > > ipvsadm -a -t 216.xxx.xxx.xxx:ftp -r 10.xxx.xxx.1 -m
> > > ipvsadm -a -t 216.xxx.xxx.xxx:ftp -r 10.xxx.xxx.2 -m

what are your ipchains rules onthe director to masquerade
the ftp and ftp-data ports from the real-servers?

Joe

--
Joseph Mack mack@ncifcrf.gov