Re: [squid-users] FTP through Squid and pf.conf with load balancing dsl

From: Daniel Porres <chancleta@dont-contact.us>
Date: Mon, 3 Dec 2007 10:17:24 +0100

It works! with these lines inside pf.conf, not very nice solution but it works:

pass in on $int_if route-to ($ext_if1 $ext_gw1)} proto tcp from $lan_net to \
port 21 keep state
pass in on $int_if route-to ($ext_if $ext_gw1)} proto tcp from $lan_net to \
port >1023 keep state

hope this help to other people.

Daniel
-
network engineer

On 02/12/2007, Daniel Porres <chancleta@gmail.com> wrote:
> thanks for the reply, I've seen that the ftp_passive is enabled on
> squid by default, so it's no needed to enable.
> Later thinking about this again, Im going to try without squid as ftp
> proxy because it should be dificult to select only ftp trafic from the
> squid machine because is mixed on the same port with http trafic.
> So to solve the problem, I will send ftp conections through only one
> adsl, what makes ftp work without problems for a user inside the LAN
> conecting to an ftp server in passive mode.
>
> I will put this rules on pf.conf of the openbsd firewall.
>
> pass in on $int_if route-to ($ext_if1 $ext_gw1)} proto tcp from $lan_net to \
> !vpn_net port 21 keep state
>
> #ports on ftp openbsd servers
> #acording to openbsd documentation
> pass in on $int_if route-to ($ext_if1 $ext_gw1)} proto tcp from $lan_net to \
> !$vpn_net port >49151 keep state
>
> #ports in ftp passive servers
> #acording to wikipedia
> pass in on $int_if route-to ($ext_if $ext_gw1)} proto tcp from $lan_net to \
> port >1023 keep state
>
>
> I haven't try it yet, tomorrow let's see if it works.
> Any comment would be much appreciated.
>
> Regards,
> -
> Daniel
> network engineer
>
>
> On 02/12/2007, Amos Jeffries <squid3@treenet.co.nz> wrote:
> > Daniel Porres wrote:
> > > Hi friends,
> > >
> > > Im having some problems making possible a FTP connection (control and
> > > data). Very often control connection establishes in one adsl and the
> > > data connection by the other dsl, and the far server don't like that.
> > > Im thinking to use squid ftp proxy under the firewall in other machine
> > > and procces the data for later send all ftp to the open bsd firewall.
> > > I dont know how to identify ftp squid data to send it only by one adsl
> > > and solve the problem of the load balancing with ftp conections.
> > >
> > > Thanks,
> >
> > Have you tried with "ftp_passive on"?
> > That should be making the remote server setup the data connection.
> >
> > Amos
> >
>
Received on Mon Dec 03 2007 - 02:17:27 MST

This archive was generated by hypermail pre-2.1.9 : Tue Jan 01 2008 - 12:00:01 MST