Re: [squid-users] FTP through Squid and pf.conf with load balancing dsl

Chris Robertson wrote:
> Matus UHLAR - fantomas wrote:
>> On 04.12.07 10:54, Chris Robertson wrote:
>>
>>> To make the server set up the data connection, passive FTP is the
>>> correct choice (http://en.wikipedia.org/wiki/FTP#Connection_Methods).
>>>
>>> Whether that makes the remote server any happier about the data
>>> connection originating from a different IP from the control, I can't
>>> say.
>>>
>>
>> I'm think you have misread it. the data connection is opened by the
>> server
>> in active/PORT connection. with passive connection, client opens both
>> connections (control and data) and in this case the server can reject
>> data connection, if client makes if from different IP.
>>
>
> I guess it all comes down to definitions. I interpret "In passive mode,
> the FTP server opens a random port..." as the server setting up the data
> connection (considering the server controls what port is used), but I
> can see the other angle, with the client then initiating a connection to
> that port.
>
> With active mode FTP, the server would also be able to refuse to
> initiate a connection to a different host than was sending the
> commands. Passive, or active, a client specifying a different IP for
> data than that used for the control is FXP
> (http://en.wikipedia.org/wiki/File_eXchange_Protocol), and is disabled
> by default on many FTP servers (original poster's included).
>
> In any case, to help with the original issue...
>
> acl FTP proto FTP
> tcp_outgoing_address 192.168.32.15 FTP
>
> ...will assure that all FTP data use the listed IP address on a multi-IP
> machine. The proto FTP acl could also be used to send all FTP transfers
> to a specific parent proxy outside of the load balancing setup with
> cache_peer_access.
>
> Chris

Well ...

To 'initiate' passive data mode is to send a PASV or PORT control
message. To do that the _sender_ must already have a data listening port
open and ready to 'passively' receive the response.
To my mind that makes the side which is capable of receiving anonymous
FTP connects in passive. If your squid is connecting _out_ badly, _it_
must be in passive and accept requests from clients.

This it show squid behaves with "ftp_passive on". It just opens a
listening socket (on port 20 I believe) and issues a number of
PORT/EPRT/PASV/EPSV controls to tell the client where to connect to.

Back to the initial problem;
   was with _squid_ outgoing data traffic going through the wrong ADSL
link. Which to me means the passive was OFF, or the client incoming
request came _in_ through that second ADSL.

I considered the possibility squid might be sending the wrong IP in
PASV. BUT, found that its looking up the dst-IP of the control
connection to generates the PASV. That means it sends out the IP the
client is connecting to.
There is only a small possibility of this going wrong if in transparent
mode.

Amos
Received on Thu Dec 06 2007 - 03:57:23 MST