Matus UHLAR - fantomas wrote:
On 04.12.07 10:54, Chris Robertson wrote:
To make the server set up the data connection, passive FTP is the
correct choice (http://en.wikipedia.org/wiki/FTP#Connection_Methods).
Whether that makes the remote server any happier about the data
connection originating from a different IP from the control, I can't say.
I'm think you have misread it. the data connection is opened by the server
in active/PORT connection. with passive connection, client opens both
connections (control and data) and in this case the server can reject
data connection, if client makes if from different IP.
I guess it all comes down to definitions. I interpret "In passive mode,
the FTP server opens a random port..." as the server setting up the data
connection (considering the server controls what port is used), but I
can see the other angle, with the client then initiating a connection to
that port.
With active mode FTP, the server would also be able to refuse to
initiate a connection to a different host than was sending the
commands. Passive, or active, a client specifying a different IP for
data than that used for the control is FXP
(http://en.wikipedia.org/wiki/File_eXchange_Protocol), and is disabled
by default on many FTP servers (original poster's included).
In any case, to help with the original issue...
acl FTP proto FTP
tcp_outgoing_address 192.168.32.15 FTP
...will assure that all FTP data use the listed IP address on a multi-IP
machine. The proto FTP acl could also be used to send all FTP transfers
to a specific parent proxy outside of the load balancing setup with
cache_peer_access.
Chris
